[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
JULY 26, 2000
__________
Serial No. 106-252
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
74-152 DTP WASHINGTON :
2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Bonnie Heald, Director of Communications
Bryan Sisk, Clerk
Trey Henderson, Minority Counsel
C O N T E N T S
----------
Page
Hearing held on July 26, 2000.................................... 1
Statement of:
Molander, Roger, senior research, RAND; and John Pescatore,
vice president and research director, Network Security,
Gartner Group.............................................. 152
Schaeffer, Richard C., Jr., Director, Infrastructure and
Information Assurance, Office of the Assistant Secretary of
Defense (Command, Control, Communication, and
Intelligence); Mario Balakgie, Chief Information Assurance
Officer, Defense Intelligence Agency, Department of
Defense; and Jack Brock, Director, Governmentwide and
Defense Information Systems, U.S. General Accounting Office 109
Spotila, John T., Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget........ 49
Vatis, Michael, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation; Juris Reksna,
chief of State Police, Ministry of Internal Affairs,
Latvia; Stefan Kronqvist, chief, Computer Crime Unit,
National Crime Investigation Department, Sweden; Juergen
Maurer, detective chief superintendent, German Federal
Police Office; Elfren L. Meneses, Jr., Anti-Fraud and
Computer Crimes Division, National Bureau of Investigation,
Philippines; Ohad Genis, advocate, chief inspector,
National Unit for Fraud Investigations, Israel Police; and
Edgar A. Adamson, chief, U.S. National Central Bureau--
Interpol................................................... 9
Letters, statements, etc., submitted for the record by:
Adamson, Edgar A., chief, U.S. National Central Bureau--
Interpol, prepared statement of............................ 87
Balakgie, Mario, Chief Information Assurance Officer, Defense
Intelligence Agency, Department of Defense, prepared
statement of............................................... 118
Brock, Jack, Director, Governmentwide and Defense Information
Systems, U.S. General Accounting Office, prepared statement
of......................................................... 130
Davis, Hon. Thomas M., a Representative in Congress from the
State of Virginia, prepared statement of................... 6
Genis, Ohad, advocate, chief inspector, National Unit for
Fraud Investigations, Israel Police, prepared statement of. 82
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
Kronqvist, Stefan, chief, Computer Crime Unit, National Crime
Investigation Department, Sweden, prepared statement of.... 36
Maurer, Juergen, detective chief superintendent, German
Federal Police Office, prepared statement of............... 43
Meneses, Elfren L., Jr., Anti-Fraud and Computer Crimes
Division, National Bureau of Investigation, Philippines,
prepared statement of...................................... 70
Molander, Roger, senior research, RAND, prepared statement of 154
Pescatore, John, vice president and research director,
Network Security, Gartner Group, prepared statement of..... 161
Reksna, Juris, chief of State Police, Ministry of Internal
Affairs, Latvia, prepared statement of..................... 26
Schaeffer, Richard C., Jr., Director, Infrastructure and
Information Assurance, Office of the Assistant Secretary of
Defense (Command, Control, Communication, and
Intelligence), prepared statement of....................... 111
Spotila, John T., Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget,
prepared statement of...................................... 52
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 5
Vatis, Michael, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation, prepared statement
of......................................................... 12
COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS
----------
WEDNESDAY, JULY 26, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:02 a.m., in
room 2157, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn, Davis, Turner, and Maloney.
Also present: Tatjana Antonova, Latvian interpreter.
Staff present: J. Russell George, staff director and chief
counsel; Ben Ritt, GAO detailee; Bonnie Heald, director of
communications; Bryan Sisk, clerk; Elizabeth Seong, staff
assistant; Will Ackerly and Davidson Hulfish, interns; Trey
Henderson, minority counsel; and Jean Gosa, minority clerk.
Mr. Horn. A quorum being present, the hearing of the House
Subcommittee on Government Management, Information, and
Technology will come to order.
I apologize for being a little late. It's the first time it
has happened, but we had a party conference this morning and we
got a new Member, so that takes a little time. That is Mr.
Marty Martinez, who switched parties to come with us because he
wanted common sense government.
From the ``ILOVEYOU'' virus to attempts to enter the space
shuttle's communication system, cyber attacks are on the rise.
Every day new viruses and attempted intrusions bombard vital
computer systems and networks within U.S. Government agencies
and private industries. Sometimes the attackers are simply
seeking the thrill of breaking into a supposedly secure system.
Other times, however, the motive is far more sinister--
vandalism, industrial espionage, intelligence collection, or
creating a doorway for a future attack. As the ``ILOVEYOU''
virus clearly demonstrated, these attacks can originate from
nearly anywhere in the world.
Many experts say this is only the tip of the iceberg in
terms of the number of attacks, their sophistication and their
destructiveness. In the United States and in many other
countries, law enforcement agencies and private organizations
collect and share information on these worldwide computer
attacks. However, not all countries have the capability to
detect them, warn others, or even prosecute the hackers once
they have been identified.
In the United States, the Federal Bureau of Investigation
and the Departments of Commerce and Defense all have a role in
tracking and investigating cyber attacks. Many other agencies
and private organizations also track and share this critical
information. Other countries also have law enforcement agencies
and organizations set up to investigate and share cyber attack
information. But among the variety of players, who is
coordinating an efficient, effective response to this
international problem?
Today, we will examine the challenges of coordinating these
cyber attack investigations. Our witnesses represent cyber
crime investigation units in several countries, including the
United States. They will discuss their experiences. There is a
great need for a sharing of these experiences daily, weekly and
at least monthly. Alliances such as the North Atlantic Treaty
Organization should work together if we will be able to win
these cyber wars.
We welcome each of our witnesses. We appreciate many of you
that have taken a long journey to come here, and we look
forward to the testimony you will submit, and it will be put
through the processes to go to the full House of
Representatives after this and other hearings have come by.
So we will now turn to the ranking member, the gentleman
from Texas, Mr. Turner, for an opening statement.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T4152.001
Mr. Turner. Thank you, Mr. Chairman. We know that the
United States and many industrialized nations now depend on the
interconnected computer system that we call the Internet. We
know that it supports critical operations in the private sector
as well as government. And we understand that the increased
reliance upon the Internet has caused us to be highly
vulnerable to cyber attacks.
These cyber attacks know no boundaries and can occur from
anywhere in the world. I had the opportunity to visit with some
members of the European Parliament a few weeks ago and it came
home to me how much we have in common in terms of trying to
deal with the new systems that are in place upon which we all
know we depend for our very livelihood.
It is important for law enforcement agencies throughout the
world to work cooperatively in the defense against those who
would perpetuate computer crimes. And in order to more
effectively fight this battle, we need to coordinate our
information sharing and cooperate as an international community
to be sure that we are protecting our citizens and our
livelihoods.
This committee has had three hearings now on this subject
and many of you on the panel today have traveled long distances
to come and share your thoughts with us, for which we are
extremely appreciative and grateful. I look forward to hearing
from each of you, and I hope that this can be a part of our
continuing effort to work nation to nation to ensure that we
can defend against cyber attacks and protect the security of
our systems.
Thank you, Mr. Chairman.
[The prepared statements of Hon. Jim Turner and Hon. Thomas
M. Davis follow:]
[GRAPHIC] [TIFF OMITTED] T4152.002
[GRAPHIC] [TIFF OMITTED] T4152.003
[GRAPHIC] [TIFF OMITTED] T4152.004
[GRAPHIC] [TIFF OMITTED] T4152.005
Mr. Horn. We thank you very much for all you have done to
pursue some of these real questions and we appreciate that.
We are now turning to the witnesses. We are notified that
we might have to recess for the first vote of the day, and that
is one of the problems we have when we are in the middle of a
hearing where we would rather keep going. Our duty is to get
over to the floor and get back. So that might happen around
10:30. So I would like to begin with this panel.
The way this operation works with all presentations, since
it is an investigating committee, is that we swear all the
witnesses in on a truth oath. And we will call--when we call on
you based on the agenda, the full written statement of yours
and the resume goes into the record so we don't have to hear
the paper you gave us read. We like you to summarize it because
that way it permits a dialog within the panel as well as the
Members who will be here.
So we do not want you to really read your work; just
summarize it for us. We will now ask to you stand and raise
your right hands.
[Witnesses sworn.]
Mr. Horn. The clerk will note that all the witnesses have
taken the oath.
We start with Mr. Michael Vatis, the Director, National
Infrastructure Protection Center of the Federal Bureau of
Investigation. Mr. Vatis.
STATEMENTS OF MICHAEL VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE
PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION; JURIS
REKSNA, CHIEF OF STATE POLICE, MINISTRY OF INTERNAL AFFAIRS,
LATVIA; STEFAN KRONQVIST, CHIEF, COMPUTER CRIME UNIT, NATIONAL
CRIME INVESTIGATION DEPARTMENT, SWEDEN; JUERGEN MAURER,
DETECTIVE CHIEF SUPERINTENDENT, GERMAN FEDERAL POLICE OFFICE;
ELFREN L. MENESES, JR., ANTI-FRAUD AND COMPUTER CRIMES
DIVISION, NATIONAL BUREAU OF INVESTIGATION, PHILIPPINES; OHAD
GENIS, ADVOCATE, CHIEF INSPECTOR, NATIONAL UNIT FOR FRAUD
INVESTIGATIONS, ISRAEL POLICE; AND EDGAR A. ADAMSON, CHIEF,
U.S. NATIONAL CENTRAL BUREAU--INTERPOL
Mr. Vatis. Thank you, Mr. Chairman, Congressman Turner; I
very much appreciate the opportunity to testify before you
today, particularly in the presence of so many of my
international colleagues. I am not aware of any previous
hearing that has had so many international law enforcement
officials together in one place, especially on an issue where
international cooperation is so vital to our success. So I
applaud the committee for holding this hearing in this manner.
As you know, the National Infrastructure Protection Center
was set up in February 1998 and authorized by Presidential
Decision Directive 63 to serve as the government's focal point
for collecting information about cyber threats and attacks,
analyzing that information, issuing pertinent warnings to both
government agencies and private industry, and also coordinating
the government's response to attacks that do occur.
That mission requires cooperative arrangements with a
variety of entities, both governmental and in the private
sector. We need to have close relationships with other Federal
agencies, with State and local law enforcement, with the
private sector owners and operators of the Nation's critical
infrastructures and, most pertinent to this hearing, with our
foreign law enforcement counterparts, and we try to achieve
those cooperative arrangements through a variety of mechanisms.
With other Federal agencies, the first mechanism is by
having those agencies represented in the NIPC, which is, while
located at FBI, an interagency center. So we have numerous
representatives from various components of the Department of
Defense, from the Intelligence Community, from the Department
of Commerce, and from other agencies as well.
We also have State and local law enforcement
representation, as well as foreign liaison representation. That
interagency composition allows us to coordinate more
effectively when there is an incident or when there is the
requirement to share information across agencies and with the
private sector as well.
We also reach out to the private industry through a variety
of outreach initiatives, including our InfraGard program, which
is an initiative to share information about incidents in a two-
way fashion, both so industry can share information with us
that they become aware of and so we can share information with
them about incidents that we become aware of through law
enforcement or intelligence means.
In addition, we reach out to our private industry
counterparts through various conferences and outreach
initiatives to try to generate awareness and to convince them
of the need to raise security in general, because even with all
of our warning efforts, if we do not have better security there
is no way we can really make headway against this problem. The
situation right now is such that vulnerabilities are so rampant
throughout the Internet that until the bar is raised against
attacks, all of the government's efforts really would be
wasted. So we are trying to work in tandem with the private
sector to encourage it to raise the level of security while
also improving our ability in the government to respond to
attacks and issue warnings effectively.
Finally, with regard to foreign law enforcement, I think it
is commonly understood now that in the area of cyber crime,
foreign cooperation is absolutely critical because the Internet
knows no boundaries. It is as easy to launch an attack from a
foreign country as it is from within the United States. And as
a result, we are increasingly finding that our investigations
lead us to foreign countries, where we have to seek the
assistance and cooperation of the domestic law enforcement
agency because we don't have the authority or the capability to
conduct searches or witness interviews or electronic
surveillances in a foreign country. So international
cooperation is absolutely critical.
We have had a number of cases over the last 2 years which
have demonstrated, I think, a great improvement in our ability
to coordinate with foreign countries. In 1998, we had the Solar
Sunrise incident, which involved wide scale intrusions into
Department of Defense computer networks. We tracked down the
intruders with the assistance of the Israeli National Police
and identified two juveniles in the United States and several
individuals in Israel who were responsible for those
intrusions.
This year, we had the arrest of an individual in the United
Kingdom who had broken into Web sites and stolen credit card
numbers and posted many of those numbers on a Web site. That
case was successfully resolved because of close cooperation
between the FBI and a local Welsh police service.
We also had most notably the denial of service attacks in
February of this year--many of those attacks have been
attributed to a juvenile in Canada--based in large part on very
close working relationships between the FBI and the Royal
Canadian Mounted Police.
And then finally we had the ``Love Bug,'' or ``ILOVEYOU''
virus in May of this year. And in that case too, a suspect was
identified in the Philippines really with unprecedented speed,
based again on the very close working relationship between the
FBI and the Philippines National Bureau of Investigation.
So I think all of those major successes demonstrate that we
have made a great deal of progress in improving coordination
with foreign law enforcement agencies. There is clearly a long
way to go because there are so many countries in the world, and
as we see the Internet continue to expand we're not going to
need cooperation just from our close allies within the G-8 or
within European countries and our traditional allies in Asia,
but we are going to need more cooperation from countries that
we have not traditionally worked together with, and that will
pose even more challenges as we try to continue to expand our
network of contacts.
So I look forward to answering any questions that you have,
but I think that sums up the situation from the U.S.
perspective.
[The prepared statement of Mr. Vatis follows:]
[GRAPHIC] [TIFF OMITTED] T4152.006
[GRAPHIC] [TIFF OMITTED] T4152.007
[GRAPHIC] [TIFF OMITTED] T4152.008
[GRAPHIC] [TIFF OMITTED] T4152.009
[GRAPHIC] [TIFF OMITTED] T4152.010
[GRAPHIC] [TIFF OMITTED] T4152.011
[GRAPHIC] [TIFF OMITTED] T4152.012
[GRAPHIC] [TIFF OMITTED] T4152.013
[GRAPHIC] [TIFF OMITTED] T4152.014
[GRAPHIC] [TIFF OMITTED] T4152.015
[GRAPHIC] [TIFF OMITTED] T4152.016
[GRAPHIC] [TIFF OMITTED] T4152.017
Mr. Horn. Well, thank you very much. We appreciate that,
Mr. Vatis.
Our next witness has traveled a long way to come here, so
we are going to listen very carefully to the gentleman's
testimony. It is Mr. Juris Reksna, chief of the State Police,
Ministry of Internal Affairs in Latvia. He is accompanied by a
translator, Tatjana Antonova. And we thank you very much for
coming and sharing your information with us.
[Note.--The following testimony was delivered through an
interpreter.]
Mr. Reksna. Mr. Chairman and members of the subcommittee, I
am honored here to represent the Republic of Latvia and I would
like to express my gratitude for the invitation to participate
in this hearing. The Latvian police and FBI cooperation has
been extensive and has helped investigations in the U.S.A.,
resulting in the identification of violent criminals and the
recovery of substantial amounts of funds for possible return to
victims of crime in the U.S.A.
The cooperation increases every day, and the training that
was provided by FBI and other U.S.A. law enforcement agencies
has helped greatly. The funds, 500,000 U.S. dollars, provided
by the U.S.A. Congress to Latvia for the purchase of equipment
to fight organized crime, will allow Latvia to move into the
cyber age more rapidly and to allow for the examination and
analysis of data, and this will assist the U.S.A. in addressing
crimes which have truly become transnational and the attempt to
use Latvian banks on the Internet to escape detection.
The fight against cyber crimes is the responsibility of the
criminal police of Latvia, which is a part of the National
State Police. Three percent of our cases have international
components. Most are threats that are being sent through
anonymous Internet servers that are located outside the
territory of Latvia, as well as attempts of hackers to break
into financial institution computer systems.
As my time is limited, I will ask my interpreter to read
the recent cases during the 2 years that took place in Latvia.
These are the synopses of criminal cases that have taken
place: The so-called Terrorist Victor case. In March 1997,
information was received about an explosive device placed in a
shop. The police had neutralized this device. Shortly after
that, e-mail threats have been sent by an anonymous person who
called himself Victor, claiming to continue terrorist acts and
demanding ransom.
As a result of investigation it was determined that Victor
telephoned from a mobile phone that was illegally connected to
the networks of Sweden, Norway and Finland. As a result of
joint efforts made by law enforcement agencies from Sweden,
Norway, Finland, Estonia, Austria, Russia, the U.S.A., Victor
was identified. He was sentenced for 7 years in prison.
In the Lowes Home Improvement Center bombing case in North
Carolina an individual planted several explosive devices in the
stores which exploded and injured five persons. The criminal
demanded money from the company and stated it should be wired
to Paritate Bank in Latvia. The Latvian police, in coordination
with the FBI LEGAT and the FBI office in Charlotte, NC, were
able to track telephone calls, provide information on the
account holder in the U.S.A. and his use of the bank's Internet
banking service, which he thought would be difficult to trace
because of the Internet and the location of the bank in Latvia.
The case of ``stockgeneration.com'' is worth mentioning as
well. This pyramid scheme using the Internet was having money
wired to Rietumu Bank in Latvia and attempted then to wire
transfer it to accounts in Russia and elsewhere. The case is
ongoing and being worked in conjunction with LEGAT Tallinn, the
Boston division of the FBI, the Securities and Exchange
Commission in Boston, and the Internal Revenue Service.
Cooperation between the United States and Latvia and Estonia
has resulted in the freezing of $5.5 million for potential
return to U.S. victims.
Cyber crimes have really become transnational. Therefore,
the following measures should be taken urgently to ensure our
success in battling cyber crimes.
Joint international training in order to improve
international response to cyber intrusions; close cooperation
is necessary with all the partners on an international and
national level in order to prevent and investigate cyber crimes
more effectively; we should continue to develop and improve the
current legislation in this issue; the Internet has become a
major aspect of everyday life for the world's society. That is
why international cooperation, mutual understanding and support
is vitally important in order to improve our capabilities to
locate and identify criminals.
Thank you for your attention.
[The prepared statement of Mr. Reknsa follows:]
[GRAPHIC] [TIFF OMITTED] T4152.018
[GRAPHIC] [TIFF OMITTED] T4152.019
[GRAPHIC] [TIFF OMITTED] T4152.020
[GRAPHIC] [TIFF OMITTED] T4152.021
[GRAPHIC] [TIFF OMITTED] T4152.022
[GRAPHIC] [TIFF OMITTED] T4152.023
[GRAPHIC] [TIFF OMITTED] T4152.024
[GRAPHIC] [TIFF OMITTED] T4152.025
Mr. Horn. That is perfect timing if I ever saw it. We just
have a vote now, so we are going to have to recess for about 15
minutes here and vote and come back. Two votes, so it might be
20 minutes. So we are in recess.
Mr. Davis. Mr. Chairman, could I ask unanimous consent that
my statement be put in the record?
Mr. Horn. Without objection, the gentleman's opening
statement will be put after the ranking member as if read.
Thank you. With that, we are in recess for 20 minutes.
[Recess.]
Mr. Horn. The recess is over and we will go to the next
witness, Mr. Stefan Kronqvist, chief, Computer Crime Unit,
National Crime Investigation Department, Sweden. We thank you
for coming the long flight you did have. So please proceed, and
if you could summarize it in 5 to 7, 8 minutes, that would be
appreciated.
Mr. Kronqvist. Thank you, Mr. Chairman, Congressman Turner.
Thank you for the opportunity to appear before you today to
describe the situation on combating cyber crime from the
Swedish point of view.
On the reorganization of the Swedish police force, the
National Criminal Investigation Department is the central
responsible authority for operational police activities.
Responsibilities of the national CID include criminal
intelligence service, certain qualified criminal investigations
and support to the local police authorities. The NCID is
functioning as central level coordinator for the combat against
organized crime.
Further, the NCID is responsible for operational
international police cooperation, operation and serving as
National Central Bureau of the Interpol and the national
Europol units.
The Information Technology Crime Unit of the NCID has
instructions to maintain and develop national support
activities in order to assist the local police authorities in
surveying and investigating IT crime. The unit provides
training, developmental tools and techniques and also carries
out operational activities by conducting house searches and
interviews and analyzing seizures and also by tracing and
identifying persons who use the Internet and its services and
functions as targets or means in the commission of crime.
Recently, we established a 24-hour service, one reason
being that Sweden had joined the G-8 Network contact point for
high-tech cases.
The IT unit at NCID is processing some 500 cases yearly. Of
these cases about 50 percent are Internet related. Practically
all Internet cases have an international component. The
Internet knows no boundaries and no border lines.
For a good many years the NCID has enjoyed a state of close
and comprehensive cooperation with the FBI. We have had several
investigations where we worked with the FBI and perhaps the
best known case would be the E911 case in which our unit
cooperated with the FBI in an effort to trace and identify a
Swedish suspect who, by means of illegal telecommunication,
periodically locked the E911 lines in a major area in Florida.
One element of this cooperation was to set up a tracing
team with Swedish and U.S. telecommunication operators. This
was a rather complex operation, which could not have succeeded
without the professional skill and dedication of the units and
the investigators involved.
The E911 case was very instructive, not least because the
perpetrator posed a threat to infrastructure functions. FBI
Director Mr. Louis Freeh described the incident ``as a dress
rehearsal for a national disaster.''
The main problem we are facing in Internet crime is
obtaining access to useful information from foreign Internet
providers and responsible Web managers. Normally, a provider
asks for a court order, subpoena, or other form of domestic
disposition before information is supplied. Such a decision
must be preceded by an international letter rogatory, a time
consuming procedure, as we all know. It is my understanding
that certain criminal operators are well aware of this.
One way of addressing this problem that suggests itself
would be international agreements to release subscriber
information and logged IP addresses and other useful
information to law enforcement authorities in another country
without the requisite of a formal rogatory request. The
transmission of information would be handled via special
contact points in order to secure authority and make sure that
the information does not fall into the wrong hands.
In order to ensure the quality of documents or information,
probably some kind of authorization or licensing of Internet
operators might be a possible alternative. You may probably not
get to the actual criminals that way, but what do they care
about regulations anyway? Thank you for your attention.
[The prepared statement of Mr. Kronqvist follows:]
[GRAPHIC] [TIFF OMITTED] T4152.026
[GRAPHIC] [TIFF OMITTED] T4152.027
[GRAPHIC] [TIFF OMITTED] T4152.028
[GRAPHIC] [TIFF OMITTED] T4152.029
[GRAPHIC] [TIFF OMITTED] T4152.030
Mr. Horn. Well, we thank you very much. That is a very fine
presentation, and we can learn a lot from it.
Our next witness is Mr. Juergen Maurer, detective chief,
superintendent, German Federal Police Office.
Mr. Maurer. Mr. Chairman, ladies and gentlemen, I am very
pleased and sincerely honored to receive the opportunity to
address the members of this honorable committee.
My name is Juergen Maurer. I am a Leitender
Kriminaldirecktor of the German Criminal Police Office, or BKA.
I am the head of the Subdivision Central Services within the
BKA and, among others, responsible for the undercover program
and the foreign liaison program of the BKA. In this context,
allow me to give you some short background information about
our office.
The BKA was founded in 1951. In Germany, based on our
Constitution, police work is in general within the jurisdiction
of the Federal states. The BKA law constitutes an exemption
from this principle. As a result of this exemption, the BKA is,
among others, the German National Center Bureau of Interpol and
the main law enforcement agency in the field of international
organized crime and terrorism cases. The BKA is also the
primary police agency dealing with cyber crime.
The bulk of cyber crime cases handled by the BKA has an
international component. A special reporting system has been
set up for information and technology crime and shows that
about 50 percent of ICT cases have an international component.
Cooperation with partner agencies from abroad is mainly
through the 24-hour contact points for international high-tech
and computer-related crime established by the G-8 countries. In
addition, there are contacts with the United States using our
BKA liaison officers at our Embassy in Washington, DC, or the
FBI liaison officer posted to Frankfurt, Germany, on a case-by-
case basis. Contact with the NIPC on a case-to-case basis has
occurred so far only in connection with the distributed denial
of service attacks in February this year.
The case showed that even though the cooperation was very
good, there is still a need to establish a more efficient and
effective way of exchanging information. In late June this
year, representatives of the BKA and NIPC discussed
possibilities to enhance the cooperation.
The overall investigative cooperation of BKA and FBI has a
long tradition and has proved very successful. We work together
in a significant number of organized crime and white collar
crime cases. There has also been a very successful cooperation
with the FBI concerning fugitive cases.
Within the BKA, the IT crime section has about 30 officers
and the following tasks: collection and analysis of IT crime
information; national reference point on IT crime; assistance
and training for other investigative units; analysis of data
carriers and storages; Internet investigation; and the so-
called data network patrol.
In this unit, 15 police officers in an overt, nonconcealed
manner are surfing the net and developing criminal cases in
identifying the perpetrators. In 1999, around 1,100 cases with
the suspicion of crime were detected; 90 percent of these cases
were child pornography cases, 81 percent of these cases had an
international component; 62 percent of these cases had a
connection with the United States.
What should have priority in the future? First, victims of
cyber intrusions as well as ISPs should keep and make available
log files providing information about the IP addresses used by
the criminal or other information that may help identify the
criminal.
It would also assist investigators if the ISP created
technical prerequisites for the surveillance of on-line
communications comparable to telecommunications interception
for them to be conducted straight away if required by law.
Second, there is already a variety of training and advanced
training courses organized on the international level. However,
more training should be provided. There is a need to create
uniform training standards for investigators at the
international level and establish points of contact for partner
agencies from abroad to guarantee a great information flow.
Third, many victimized companies in Germany are still
hesitant to file a criminal complaint with the law enforcement
agencies because they feel loss of prestige. For the benefit of
law enforcement, it seems important to forge cooperation
partnerships with the system administrators of the victims to
obtain the required information more quickly. In urgent cases;
for example, extortion and danger to life and limb, access to
the raw data should be possible without having to go through
the time consuming standard formalities under international
law.
Also some types of computer crime and cyber intrusions in
particular require an immediate response by the law enforcement
community since data needed as evidence are usually stored for
a short period of time only.
That was pretty much I wanted to stress. Thank you very
much for your attention.
[The prepared statement of Mr. Maurer follows:]
[GRAPHIC] [TIFF OMITTED] T4152.031
[GRAPHIC] [TIFF OMITTED] T4152.032
[GRAPHIC] [TIFF OMITTED] T4152.033
[GRAPHIC] [TIFF OMITTED] T4152.034
[GRAPHIC] [TIFF OMITTED] T4152.035
[GRAPHIC] [TIFF OMITTED] T4152.036
Mr. Horn. Thank you very much.
We will go out of order because we are trying to help on a
situation that a member of the executive branch has here. So if
you might, we are going to start with his testimony, since he
has to be elsewhere.
John T. Spotila is the Administrator, Office of Information
and Regulatory Affairs, Office of Management and Budget, which
is part of the President's Executive Office of the President.
STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF
INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND
BUDGET
Mr. Spotila. Good morning, Mr. Chairman. Thank you for
inviting me here to discuss administration efforts in the areas
of computer security and critical infrastructure protection.
The President has given high priority to cyber security and
the protection of our Nation's critical information assets. He
understands the growing risks that our Nation faces from cyber
threats and has taken a series of steps outlined in my written
testimony to develop our cyber defenses. In his fiscal year
2000 budget, the President proposed some $2 billion for agency
critical infrastructure protection and computer security
programs. This would be an increase over last year's enacted
total of $1.8 billion.
It would include funding to detect computer attacks,
coordinate research on security technology, hire and train more
security experts, and create an internal expert review team for
nondefense agencies.
These initiatives are vitally important. Regrettably, many
of our requests for security funds face an uncertain future in
the appropriations process. We critically need funding for the
National Institute for Standards in Technology and the Critical
Infrastructure Assurance Office at Commerce, for the Federal
computer incident response capability, and the Federal
intrusion detection network at GSA, for public key
infrastructure work at Treasury, and for the scholarship for
service effort at the Office of Personnel Management and the
National Science Foundation.
It has been particularly difficult to gain support for
crosscutting initiatives, despite their importance to our
computer security efforts. We should be more open to innovative
approaches in this area and look for opportunity for synergy
and interagency cooperation.
OMB plays a key role in government computer security
efforts. In February, we issued important guidance to the
agencies on incorporating security and privacy requirements in
each of their fiscal year 2002 information technology budget
submissions.
In the future, when requesting approval for information
technology funds, agencies must demonstrate how they have built
adequate security and privacy controls into the life cycle
maintenance and technical architectures of each of their
systems. Without an adequate showing, the systems will not be
funded.
OMB Circular A-130 sets forth governmentwide policies for a
wide variety of information and information resource management
issues. It addresses agency management of information and
information systems, including capital planning and investment
control. Appendix 1 sets privacy policy. The soon to be issued
appendix 2 defines policy for information architectures and
implementation of the Government Paperwork Elimination Act.
Appendix 3 sets security policy.
Importantly, appendix 3 requires Federal agencies to adopt
a minimum set of risk-based management controls. Four controls
are described: assigning responsibility for security, security
planning, periodic review of security controls, and management
authorization.
These controls are intentionally not technology dependent.
Instead, they focus on the management controls agencies need to
assure adequate security. Technical and operational controls
should support these management controls.
We believe, as GAO has said, that our computer security
policies are properly focused on a risk-based cost-effective
approach and reflect the right balance between strong security
and mission needs. Good design and good planning are the keys
to successful security. For good design, security must be
compatible with and enable, not unnecessarily impede, system
performance, business operations, and the mission.
When security unnecessarily slows the system or hinders the
mission, users often work around it or ignore it completely. To
work effectively, security must be part of the system
architecture, built in so that users will buy in.
Good planning requires that we fund security and privacy as
part of the life cycle costs for each system. To identify a
true system cost and adequately plan for future system or
program operations, we must account for all of the resources
necessary to operate the systems, including security.
Our approach provides maximum flexibility for agencies so
that they can make appropriate informed choices in applying
necessary security controls that are consistent with their
unique circumstances.
Most security problems come not from a lack of policy, but
rather from ineffective or incomplete implementation of
existing policies and guidance. We are very much aware of this
risk in the Federal context. There is much more to be done
before we reach full implementation of our existing security
guidance.
As my written testimony describes, we are working on a
number of specific projects to assist the agencies and enhance
governmentwide security. These include testing a systematic
process of identifying, assessing, and sharing effective
security practices; finalizing security performance measures
against which agencies can assess their security programs;
creating a formal process for coordinating our governmentwide
response to cyber incidents of national significance; and
promoting more timely agency installation of patches for known
vulnerabilities.
These are innovative efforts that show great promise. They
need congressional support if we are to fulfill that promise.
We appreciate your interest in all of these matters and look
forward to continuing our close cooperation with the committee
in this important
area. We value our partnership with you and hope that this
hearing will mark a further strengthening of our joint efforts
on behalf of the American people.
Thank you.
[The prepared statement of Mr. Spotilla follows:]
[GRAPHIC] [TIFF OMITTED] T4152.037
[GRAPHIC] [TIFF OMITTED] T4152.038
[GRAPHIC] [TIFF OMITTED] T4152.039
[GRAPHIC] [TIFF OMITTED] T4152.040
[GRAPHIC] [TIFF OMITTED] T4152.041
[GRAPHIC] [TIFF OMITTED] T4152.042
[GRAPHIC] [TIFF OMITTED] T4152.043
[GRAPHIC] [TIFF OMITTED] T4152.044
[GRAPHIC] [TIFF OMITTED] T4152.045
[GRAPHIC] [TIFF OMITTED] T4152.046
[GRAPHIC] [TIFF OMITTED] T4152.047
[GRAPHIC] [TIFF OMITTED] T4152.048
[GRAPHIC] [TIFF OMITTED] T4152.049
[GRAPHIC] [TIFF OMITTED] T4152.050
Mr. Horn. Thank you, Mr. Spotila. I would like to ask a few
questions before you leave.
OMB Circular A-133, section 3, so forth, requires that
agencies have an incident response capability to address
security incidents in a system and to share information
concerning common vulnerabilities and threats. The incident
response capability shall share information with other
organizations and assist the agency in pursuing appropriate
legal action consistent with the Department of Justice
guidance, is our reading of that.
Have all the agencies complied in developing an incident
response capability?
Mr. Spotila. Mr. Chairman, to varying degrees, all of the
agencies have sought to comply. One of the areas of focus, and
I go into a little more detail in the written testimony, and we
certainly would be happy to work very closely with you on
this--that we in OMB have been focused on is how to get all the
agencies to do a better job at this. And again some are better
at it than others in the nondefense area.
We think that part of the answer is integrating it into
their overall approach to information technology, not just an
add-on, in other words, approach, but to integrate it into all
of their planning. And although we are making progress, we also
recognize there is much we need to learn, including how it is
we assess how well they are doing. We are working with the CIO
counsel and the agencies to develop popular metrics performance
measures. We know there is a lot more work to be done here.
Mr. Horn. Are all agencies fully participating in the
sharing of information on shared threats and vulnerabilities?
Mr. Spotila. To my understanding, they all are. I am not
aware of any that have resisted that, for example.
Mr. Horn. What, if any, guidance will OMB issue that
outlines a framework for sharing such information in an
international context? Is there some thinking going on that?
Mr. Spotila. We have discussions under way. I don't know
that we have made a decision as to what type of guidance would
be appropriate in the international context. Our focus has been
clearly with nondefense agencies and our focus has been
obviously threats can come from anywhere in the globe. We are
aware of that. But in terms of communicating outward in the
international context, I think that is something that remains
to be discussed and we are open to suggestions from you if you
think we should do more.
Mr. Horn. Are we looking at the Embassies to help in this
regard? I know in some cases we have appropriate security
people. Or are you thinking of doing that and/or also direct
contact with our security people and a particular nation's
security people?
Mr. Spotila. There is obviously here an area where the
State Department has had a lead in terms of focusing on
security, particularly relating to the Embassy, and the Defense
and National Security Agencies have been addressing this for
some time. One of the questions is whether there is more that
needs to be done beyond that and, if so, to what extent OMB
should issue guidance. I think this is an area where we need to
work on it in a continuing way.
The threat is evolving. The nature of the technology is
evolving, and I think that we need to continually look at
whether there is more that should be done.
Mr. Horn. Well, as you have suggested here, the computer
security policy development and oversight that OMB has, and I
take it then will plan some policy on international information
and sharing and coordination?
Mr. Spotila. I would be happy to get back to you, Mr.
Chairman, with a written response if you like and could perhaps
elaborate on this more.
Mr. Horn. That is fine. Does the FBI's Carnivore program
provide information and data to the National Infrastructure
Protection Center? I would like to ask you and Mr. Vatis where
we are on that.
Mr. Spotila. Mr. Vatis is probably much more familiar with
the details of that than I am.
Mr. Horn. So OMB has not really been involved with that? It
has been left to Mr. Vatis's organization?
Mr. Spotila. We have not been directly involved in that to
my understanding. We're aware of it now and I know that we have
asked for further information on it.
Mr. Vatis. Mr. Chairman, the Carnivore technique and other
methods for electronic surveillance are the province of the
FBI's Laboratory Division. The NIPC is one of the consumers of
those techniques, just as the Organized Crime Program, the
Counterterrorism Program, etc., are users of that technique.
And my understanding is that we have had a small number of
computer intrusion cases that have used that technique through
the Laboratory Division.
Mr. Horn. Before you leave, Mr. Spotila, I was obviously
interested in the $1.8 billion last year and now $2 billion
this year. Did representatives of the administration make their
case before either the authorization committees or the
appropriations subcommittees?
Mr. Spotila. My understanding is they have. And I think
that some of these decisions remain out there in the initial
markups. A number of these areas are not being funded, which
has been raised certainly to a level of concern internally.
Sometimes that reflects perhaps less of a willingness to deal
with crosscutting initiatives that affect lots of agencies,
particularly in a context of relatively lean resources at the
subcommittee level.
This is a transition area. That is one of the reasons that
I refer to it in my testimony. We are all in a position of
change here and as we try to work with the agencies to look for
crosscutting approaches, one of the realities is that the
appropriations process is not always set up to look at it the
same way.
We obviously have not been effective enough in making the
case because the record thus far in terms of how the
appropriations subcommittees are dealing with it is not as good
as we would like it to be. But the process is not over, which
is one of the reasons we wanted to call it to your attention as
well.
Mr. Horn. I am delighted that you did. And if you want to
give me a letter that I can play postage man with the
appropriators, I would be glad to do it.
Mr. Spotila. Certainly, we will do that. We will followup
with that.
Mr. Horn. Thank you very much and I know that you have----
Mr. Spotila. Thank you very much, Mr. Chairman. Thank you
for your courtesy.
Mr. Horn. OK. Back to the regular order. Our next speaker
has come a long way also, and that is Mr. Elfren Meneses, the
Antifraud and Computer Crimes Division, National Bureau of
Investigation of the Philippines. Mr. Meneses.
Mr. Meneses. Mr. Chairman, members of this committee, good
morning. I am Elfren Meneses. I come from Manila, Philippines
and am presently employed in the National Bureau of
Investigation.
My agency is under the Department of Justice, and its
history is that it started as a Division of Investigation in
the Department of Justice and later on organized as the
National Bureau of Investigation under Republic Act 157 in June
1947. Under the Republic Act 157, as amended, the NBI is
empowered to investigate crimes and other offenses against the
laws of the Philippines both at its own initiative and as
public interest may require; to assist when officially
requested in the investigation or detection of crimes and other
offenses; to act as national clearinghouse of criminal records
and other information for use of all prosecuting and law
enforcement entities in the Philippines; to give technical help
to all prosecuting and law enforcement officers, agencies of
the government, and courts which may ask for its service.
Its added functions include to investigate Tanodbayan
cases; to actively participate in the activities of the ICPO-
Interpol; and to perform such other related functions as the
Secretary of Justice may assign from time to time.
The NBI is composed of six services; namely, the Special
Investigation Services, which is based in Manila and charged
with the investigation of common crimes, heinous crimes, white
collar crimes, and transnational crimes. The other services are
the Regional Operation Service, the Domestic Intelligence
Services, the Technical Services, the Administrative Services
and the Controller Services.
The investigator in the National Bureau of Investigation is
called an NBI agent with the qualification that he must be a
member of the Philippine Bar or he must be a lawyer or a
Certified Public Accountant. He must be between the ages of 24
and 35 years old and must not have a derogatory record.
On the issue of computer law of the Philippines, a week
after the start of the investigation of the ``ILOVEYOU'' virus
by the National Bureau of Investigation, the 11th Congress of
the Republic of the Philippines and the Senate started
reviewing pending bills in both houses. On June 14 of this
year, President Joseph Ejercito Estrada approved Republic Act
No. 8792, entitled ``An act providing for the recognition and
use of electronic commercial and noncommercial transactions,
penalties for unlawful use thereof, and other purposes.'' It is
also called as our E-commerce Act.
Prominent in this law is section 33 of Republic Act 8792
wherein it states: The following acts shall be penalized by
fine and/or imprisonment, as follows: Hacking or cracking,
which refers to unauthorized access into or interference in a
computer system/server or information and communications
system, or any access in order to corrupt, alter, steal or
destroy, using a computer or other similar information and
communication devices without the knowledge and consent of the
owner of the computer or information and communication system,
including the introduction of computer viruses and the like,
resulting in the corruption, destruction, alteration, attack or
loss of electronic data, message, or electronic documents,
shall be punished by a minimum fine of 100,000 pesos and a
maximum commensurate to the damage incurred and a mandatory
imprisonment of 6 months to 3 years.
Now, on the issue of international cooperation, the
cooperation between the National Bureau of Investigation and
the FBI Legal Attache in Manila in the investigation of cyber
intrusion is excellent. Fast and constant exchange of
information by both offices is always assured. Technical people
from the FBI are immediately sent to the Philippines upon need
to confirm evidence gathered by the NBI agents.
To update the NBI agents in their investigation of cyber
intrusions, Legal Attache in Manila recommends the training of
agents at the FBI Academy in Quantico, VA or any FBI-sponsored
training conducted in the Philippines.
An example of this is the investigation of the ``ILOVEYOU''
virus wherein both offices, the NBI and FBI Legal Attache,
worked closely from the startup to the termination of the
investigation and even after the filing of the case before the
Department of Justice of the Philippines.
Another example of cooperation by both offices is the
arrest and deportation of U.S. fugitives in the Philippines. As
of the end of June this year, there were 15 U.S. fugitives
arrested, 13 of which were deported to the United States, two
are still in the process of extradition.
At this point in time, we also coordinated during the Y2K
millennium bug. And in line with its international relations,
the NBI is actively participating in tracing perpetrators of
cyber intrusions, as well as personalities known for bank fraud
and other electronic commercial offenses. These efforts the NBI
will continue to pursue as it honors its commitment to the
global community.
At this stage I would like to thank you, Mr. Chairman, for
inviting us here and to give our statement. Thank you very
much.
[The prepared statement of Mr. Meneses follows:]
[GRAPHIC] [TIFF OMITTED] T4152.051
[GRAPHIC] [TIFF OMITTED] T4152.052
[GRAPHIC] [TIFF OMITTED] T4152.053
[GRAPHIC] [TIFF OMITTED] T4152.054
[GRAPHIC] [TIFF OMITTED] T4152.055
[GRAPHIC] [TIFF OMITTED] T4152.056
[GRAPHIC] [TIFF OMITTED] T4152.057
[GRAPHIC] [TIFF OMITTED] T4152.058
[GRAPHIC] [TIFF OMITTED] T4152.059
[GRAPHIC] [TIFF OMITTED] T4152.060
Mr. Horn. We definitely appreciate all you have gone
through and we are delighted to have you share those
experiences with the rest of us. So we will get to some of that
more in the question period.
We will now go to Mr. Ohad Genis, advocate, chief inspector
National Unit for Fraud Investigations, Israeli Police.
Welcome.
Mr. Genis. Good morning and shalom to everyone. And by the
way it is Genis, not Jenis.
On behalf of the Israel Police, I would like to thank you
for this tremendous opportunity to appear before you and
discuss our point of view concerning cyber crime and
international cooperation. Of the 50 cyber crime cases dealt
with by our department, 20 cases had an international
component.
I would like to stress that our department does not handle
all the cyber crime cases in Israel. Cases that are of local
interest or that do not require intensive organization are done
by the field units and, unfortunately, I don't have their data.
However, I can estimate that more than 30 percent of our cases
require international cooperation and there is definitely a
growing number of cases--of requests, sorry, for international
assistance.
In the global arena when referring to the Internet as a
borderless scene of a crime, an effective international
cooperation is the key to success. And when I say effective, I
mean both the accuracy of the data received from abroad and the
time it takes to be transferred.
Today, all of the Israel ongoing cooperation is with the
United States, which we warmly welcome since you always deliver
the goods with the help of the great and most efficient legal
attaches in Israel, Special Agents Kerry Gleicher and Scott
Jessey, and we enjoy an excellent working relationship with the
FBI.
However, during an investigation when we are obliged to
request for international assistance, due to the complexity of
the legal process, we know for sure that we have lost the time
momentum and that the entire investigation will be put on hold
for weeks and sometimes for months until we receive the
relevant information, and I'd like to elaborate briefly on
that.
We all know that in order to transfer data from one
computer to another we must use a protocol, and the protocol
used on the Internet is the Transmission Carrier Protocol,
known as the TCPIP. This protocol identifies each and every
computer connected to the Internet by a number called IP
address, Internet Protocol address. And theoretically, each and
every computer connected to the Internet receives a unique IP
address.
We all use this IP address to trace our suspects. And most
of our requests are for the identity of the user who used this
specific IP address, or what was the IP address used by the
user who sent a specific e-mail message.
For this data we still have to wait weeks and months and we
believe that what is required today is the establishment of a
central organization which will handle all requests for
international assistance with on-line access, which will
accelerate all the legal process--all the process of requesting
international assistance.
Another matter that I'd like to mention is conducting
international conferences. International conferences have
proved themselves as being most efficient in all aspects of
international cooperation, including sharing of experience,
views and assumptions of solutions to common problems, etc. I
had the privilege of participating in a conference held at the
FBI Academy in March this year, and I can state categorically
that our investigations have--our investigations benefited
significantly from that conference in many aspects.
I would also like to mention that most of the foreign
investigators, including the FBI investigators, felt that
meeting face-to-face would assist us in our future cooperation.
I'd like to mention the time it takes for us to receive
requested assistance from abroad now can be used by the hackers
and they can to their advantage gain from this complication of
law enforcement and use it to their own benefit, where in these
investigations the time is of the essence.
In summation, I would like to say that in the high
technology era, the establishment of an international center
that would handle requests--international requests with on-line
access and conducting international conferences and trainings
would be the key to a successful joint effort in fighting cyber
crime.
Thank you very much.
[The prepared statement of Mr. Genis follows:]
[GRAPHIC] [TIFF OMITTED] T4152.061
[GRAPHIC] [TIFF OMITTED] T4152.062
[GRAPHIC] [TIFF OMITTED] T4152.063
Mr. Horn. We thank you very much. That's very helpful case
study.
We now go to Mr. Edgar A. Adamson, the Chief of the U.S.
National Central Bureau, Interpol. Thank you for coming.
Mr. Adamson. Mr. Chairman, thank you for providing me the
opportunity to participate in today's subcommittee hearing on
computer security issues. I am currently assigned to the
position of Chief of the U.S. National Central Bureau of
Interpol. I am a U.S. Treasury Special Agent with 30 years of
experience with the Customs Service Office of Investigations.
The Interpol U.S. National Central Bureau is a component of the
Department of Justice with representatives from 16 different
U.S. Federal law enforcement agencies, including a management
team from both the Department of Justice and the Department of
Treasury.
As you are well aware, the information revolution has
changed the world forever, transforming the way we think and
the way we use information. Our dependence on these new sources
and methods grow daily, and at least some part of nearly every
interaction we undertake now occurs within this virtual world.
Of course, this widespread dependence increases our
vulnerability to criminal activity.
The ease with which criminals can access the means
necessary to commit cyber crimes, the multiple jurisdictions in
which these crimes are committed and the lack of adequate
legislation for computer-related crime and the seemingly risk-
free environment for the cyber crime perpetrator are all
factors that point to a likely increase of this type of crime
in the future.
Cyber crime is truly international in character as the
electronic frontier has no bounds. It demonstrates that the
need for international law enforcement cooperation has never
been greater. To respond effectively, the U.S. law enforcement
authorities must be able to overcome some very real cultural,
linguistic, legal and digital barriers that complicate the
positive exchange of criminal investigative information across
national administrations and sovereign boundaries.
Interpol exists to facilitate this critical exchange among
its 178 member countries and provides the necessary framework,
rules of police cooperation, and essential tools and services
that promote the adoption and use of international standards,
foster best practice, and permit investigative results.
Interpol recognizes the severity of the cyber crime
challenge and is committed to achieving effective computer
security and cyber enforcement through the development and
delivery of operational programs and training and the
establishment of international standards and the promotion of
best practices worldwide.
Interpol is in the unique position to facilitate timely and
reliable notification concerning intrusion attempts and
information on the widespread computer viruses through its
worldwide communications network. The strength of the Interpol
organization lies in the frame of law enforcement information
exchange.
Interpol has established rules for police cooperation in
its 178 countries. Interpol has been around for 75 years. It is
the only global police organization. Worldwide on-line
communications network links its membership. It is reliable,
immediate, global, and it overcomes all the cultural,
linguistic, and legal barriers.
The Interpol organization participates with other
international organizations and national regional bodies. It
participates and is a member of the G-8 Subgroup on High-tech
Technology. It participates in the Council of Europe, and has
observer status at the United Nations.
Regarding cyber crime, Interpol is a means again as to
whereby we can exchange information on the varieties of cyber
crime. We have a point of contact in all countries for
immediate notification of security computer alerts, etc. We
again work with the G-8 High-tech Subgroup. We coordinate
training programs and we have various neutral forum meetings to
develop best practices.
In recent years, the United States has made a strong
commitment to Interpol. The U.S. Customs Commissioner Raymond
Kelly has served for the last 3 years as Vice President for the
Americas on Interpol's 13-member guiding Executive Committee,
and FBI Deputy Director Tom Pickard has announced his intention
to continue U.S. leadership in the organization and will stand
for election to the Interpol Executive Committee this November.
Also this November, Ronald K. Noble will become the first
non-European and the first American to hold the position of
Interpol General Secretary--Secretary General in Lyon, France
for a 5-year term. His candidacy was strongly supported by the
heads of U.S. law enforcement organizations and prevailed on a
platform of change to realize the organization's full
potential. His vision for Interpol advocates greater inclusion
for all its member nations and better use of electronic
communication tools to increase the speed, accuracy and
reliability of law enforcement exchange.
In conclusion, Interpol membership and participation
increases the likelihood for detection, timely notice and law
enforcement response to cyber intrusions. It also permits
access to a 24-hour network of international experts and over
40 countries in a secure and confidential manner. Our ability
to deal effectively and efficiently with cyber crime can be
enhanced through competency building for less experienced
enforcement agencies worldwide and through continued
coordination and cooperation among U.S. law enforcement
agencies dealing with various aspects of this emerging crime
area.
I thank you again for permitting me the opportunity to
address the subcommittee, and I am happy to answer any
questions.
[The prepared statement of Mr. Adamson follows:]
[GRAPHIC] [TIFF OMITTED] T4152.064
[GRAPHIC] [TIFF OMITTED] T4152.065
[GRAPHIC] [TIFF OMITTED] T4152.066
[GRAPHIC] [TIFF OMITTED] T4152.067
[GRAPHIC] [TIFF OMITTED] T4152.068
[GRAPHIC] [TIFF OMITTED] T4152.069
[GRAPHIC] [TIFF OMITTED] T4152.070
[GRAPHIC] [TIFF OMITTED] T4152.071
[GRAPHIC] [TIFF OMITTED] T4152.072
[GRAPHIC] [TIFF OMITTED] T4152.073
[GRAPHIC] [TIFF OMITTED] T4152.074
[GRAPHIC] [TIFF OMITTED] T4152.075
[GRAPHIC] [TIFF OMITTED] T4152.076
[GRAPHIC] [TIFF OMITTED] T4152.077
[GRAPHIC] [TIFF OMITTED] T4152.078
[GRAPHIC] [TIFF OMITTED] T4152.079
[GRAPHIC] [TIFF OMITTED] T4152.080
[GRAPHIC] [TIFF OMITTED] T4152.081
[GRAPHIC] [TIFF OMITTED] T4152.082
[GRAPHIC] [TIFF OMITTED] T4152.083
[GRAPHIC] [TIFF OMITTED] T4152.084
[GRAPHIC] [TIFF OMITTED] T4152.085
Mr. Horn. Thank you very much. That is a very helpful
statement. We now move to Mr. Richard Schaeffer, Jr., Director,
Infrastructure and Information Assurance, Office of the
Assistant Secretary of Defense for Command Control
Communication and Intelligence. Join us up here, and we will
join the others also. If we might get you all around that
table, we would appreciate it, if the staff would do that.
Might get another table over here. But we like to have a dialog
once we are done with all of the presenters, and I would just
as soon have everybody at the same table if that is possible.
Mr. Schaeffer, please proceed.
STATEMENTS OF RICHARD C. SCHAEFFER, JR., DIRECTOR,
INFRASTRUCTURE AND INFORMATION ASSURANCE, OFFICE OF THE
ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL,
COMMUNICATION, AND INTELLIGENCE); MARIO BALAKGIE, CHIEF
INFORMATION ASSURANCE OFFICER, DEFENSE INTELLIGENCE AGENCY,
DEPARTMENT OF DEFENSE; AND JACK BROCK, DIRECTOR, GOVERNMENTWIDE
AND DEFENSE INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE
Mr. Schaeffer. Thank you, Mr. Chairman. I appreciate the
opportunity to be here today to discuss this very important
topic.
To set the stage for my remarks, I'd like to say a few
words about the environment in which the Department of Defense
[DOD], conducts its daily operations during peacetime, during
crisis, and even during war.
The Department's steadily increasing dependence on a global
information environment over which it has little control
heightens its exposure and vulnerability to a growing number of
increasingly sophisticated internal and external threats.
Globally internetworked and interdependent information systems
tend to level the playing field between allies and adversaries
and offer adversaries access to potentially high value, low
risk information infrastructure targets.
These targets, if successfully attacked, have the potential
to impact the full spectrum of DOD operations. To attack a
large number of systems, an adversary need only find and attack
a single exploitable connection to the system. Once inside the
system, an adversary can exploit it and the systems networked
to it. Further, with every advance in information technology,
new vulnerabilities are created that must be quickly discovered
and effectively neutralized.
Providing for the protection of the defense information
infrastructure is one of the Department's highest priorities
and most formidable challenges. Within the DOD, we have
established detailed procedures for the coordination of all
cyber events. The Joint Task Force-Computer Network Defense
[JTF-CND], was formed on December 30, 1998, to provide a single
command with the authority to coordinate and direct the defense
of the DOD computer systems and networks.
Prior to the formation of the JTF, no single entity had the
authority to coordinate and direct a DOD-wide response to a
computer network attack. The JTF-CND and the NIPC, the National
Infrasfructure Protection Center, form a strong collaborative
team for dealing with attacks on DOD systems.
Over the past 18 months, the JTF-CND has developed
processes for identifying attacks against DOD networks,
assessing the importance of those attacks, notifying
appropriate headquarters of the information, developing and
implementing responses to them, and coordinating with external
organizations such as the NIPC. The DOD relies on the NIPC to
coordinate cyber attack indications and warning with the
Nation's critical infrastructure elements--communications,
power, etc.--upon which the Department depends for mission
success.
In closing, I would like to say a few words about where we
are today and where we need to be in the future. Today it takes
us at best hours to transition from detection to warning. At
worst this could be days. The attacks are perpetrated and
executed in milliseconds. We must develop the technology,
capabilities, processes, and legal framework to respond to
cyber events in real-time. There will come a time when our
capabilities will be tested, and national security or the
economic security of the Nation will depend on components like
the JTF-CND, NIPC and others working collaboratively in
response to the event.
I want to thank the subcommittee again for providing an
opportunity for the Department of Defense to present its views
on this very important issue, and we look forward to continuing
to work with Congress to ensure that we are able to meet these
ever increasing challenges.
[The prepared statement of Mr. Schaeffer follows:]
[GRAPHIC] [TIFF OMITTED] T4152.086
[GRAPHIC] [TIFF OMITTED] T4152.087
[GRAPHIC] [TIFF OMITTED] T4152.088
[GRAPHIC] [TIFF OMITTED] T4152.089
[GRAPHIC] [TIFF OMITTED] T4152.090
Mr. Horn. Thank you very much. That is a helpful statement,
and I am delighted to see that they have got some depth over
there under that Assistant Secretary, because we worried
through Y2K after the general retired.
So we now go to Mario Balakgie, Chief Information Assurance
Officer, Defense Intelligence Agency, Department of Defense.
Mr. Balakgie. Thank you, Mr. Chairman and members of the
committee. I am honored to be here to have this opportunity to
speak on the challenge of coordinating response to computer
security threats. I am here to present the views and opinions
of the Defense Intelligence Agency within our role for
information assurance mission of the Defense Intelligence
Community.
The business of intelligence is unique because of what we
do. But when it comes to how we operate, we are driven by the
information age. We rely on a global information infrastructure
using technology as an integral tool to carry forward our
mission of intelligence. Unlike in the past we now operate in
an interconnected and interdependent environment, giving us
tremendous benefit but not without security risk to our
information infrastructure.
Today's challenge is to ensure the protection of those
infrastructures against the cyber threat and requiring a
community-wide approach to a coordinated and active defense.
Whether it is the Intelligence Community, the larger Federal
Government or the private industry, each face common
impediments to conducting a coordinated response.
The interconnected environment has opportunities and risks.
The worldwide nature of threats, the attacks from anyone at any
time, does not discern organizational boundaries. The reality
of threat presents fundamental challenges and they are: our
ability to detect the cyber event through the use of real-time
sensors; discerning if the event is an attack or an anomaly;
conducting timely analysis to determine attribution and finally
reacting.
To further complicate a coordinated response there are
existing varying protection policies within interconnected
communities, making it difficult to execute an all encompassing
defensive action. For example, the various owners of networked
infrastructures do not necessarily agree on what may or may not
be constituted as an attack, how to respond to a cyber attack
or what defensive measures are required.
The most significant issue we face in conducting
coordinated response of cyber threat is the demands for skilled
and qualified personnel who have an understanding of
information and security technologies. In particular, intrusion
detection systems require specialized skills to monitor
networks for incident detection, conduct analysis of anomalies
and ultimately react.
While we can implement sophisticated security technology,
without these trained professionals, even our best security
defenses will not be effective.
The Defense Intelligence Community has several initiatives
under way to ensure our incident response and defensive efforts
are coordinated. Those initiatives are described in my
statement, but I would like to point or highlight at least one
of them, and that is risk management.
For us to understand our infrastructure strengths and
weaknesses, we are integrating risk management as a business
practice to determine critical assets, protection requirements,
and establishing priorities. Risk management will enable us to
emphasize the business process whereby resource decisions are
made in a consistent and methodical manner.
Finally, our response to cyber threats shouldn't be
misconstrued as a one-time issue but rather a never ending
challenge. We must commit to the information assurance mission
constant vigilance and protecting the information
infrastructure. Our defensive efforts must be comprehensive in
nature and include coordinated strategies within the government
as well as private industry.
This challenge is best characterized as a long-term
business of risk management balanced against threats,
vulnerabilities and ultimately the return of our investment. On
behalf of the Defense Intelligence Agency, thank you for the
opportunity to present our views and opinions.
[The prepared statement of Mr. Balakgie follows:]
[GRAPHIC] [TIFF OMITTED] T4152.091
[GRAPHIC] [TIFF OMITTED] T4152.092
[GRAPHIC] [TIFF OMITTED] T4152.093
[GRAPHIC] [TIFF OMITTED] T4152.094
[GRAPHIC] [TIFF OMITTED] T4152.095
[GRAPHIC] [TIFF OMITTED] T4152.096
[GRAPHIC] [TIFF OMITTED] T4152.097
[GRAPHIC] [TIFF OMITTED] T4152.098
[GRAPHIC] [TIFF OMITTED] T4152.099
Mr. Horn. I am going to take the chairman's right to ask a
question at this point. I would be curious as to the
biometrics--I am very interested in your insider bit because
that is what often does and has a real problem in either the
private sector, the public sector, whatever, to what degree are
we moving fairly rapidly to that so we would be able to at
least deal with where the insider is and either to lock him out
or lock him in?
Mr. Balakgie. Well, the first challenge for us is to detect
the insider and we are relying on the use of intrusion
detection systems to be able to do that. Those technologies are
currently implemented with a variety of sensors, what we refer
to as sensors, throughout our infrastructure.
They are--the sensors are gauged, if you will, to detect
certain events. Those events trigger a warning and then we in
turn pursue what could be an insider.
I would tell you that the technology is mature; however,
against a sophisticated insider, this still presents a
challenge in determining who they are and what they're doing.
Mr. Horn. Well, thank you very much. I am sure my
colleagues will have questions later. Our next presenter is Mr.
Jack Brock, well-known to this subcommittee. He is the Director
of Governmentwide and Defense Information Systems for the U.S.
General Accounting Office, an arm of the legislative branch.
Mr. Brock.
Mr. Brock. Thank you very much, Mr. Horn. It is always a
pleasure to be here. I feel like I am at my grandmother's
dining room at Christmas time. It is good to have a seat at the
table. It is crowded.
Mr. Horn. I apologize that we did not think about it to
start with.
Mr. Brock. I think you heard from most of the witnesses
that we live in a world where we are talking about a cyber
threat that is not defined by geographic boundaries, and the
lack of traditional boundaries really presents a challenge to
nations to consider new strategies and new ways of dealing with
this. No longer are you dealing in a physical world where you
can more easily recognize the threat, but where you frequently
have more time to react to the threat. The threat is there. It
is sudden, it is real, and you have to react immediately.
Further, the ownership of the problem is not just with the
national governments. It resides with all elements of the
critical infrastructure. And that can be public utilities, it
could be the financial sector, as well as Federal agencies, but
a whole variety of players are involved here and they all need
to be at the table. I think today you got a good overview from
the law enforcement agencies, but if you had a different panel
tomorrow and you had people from the financial sector or people
from the telecommunications, you might be getting a slightly
different perspective. The problem might be the same, but the
response and the reaction to it could well be different.
Further, this infrastructure that these organizations deal
in is complicated by the exponential spread and support
evolution of information technology. And frequently the
technology and the ability to exploit that technology runs
ahead of the ability to detect and respond, and that is a very
serious problem.
There are three elements to this issue. First, do we need
to be concerned about it? Second, if we do need to be concerned
about it, what are the challenges that have to be overcome to
have an effective response? And then, third, how do we begin to
address the challenges?
First on the threat, I don't need to repeat what these
gentlemen have all told you. There is a very real threat and
that threat can come from an insider. That threat can come from
a lone hacker who is out for a joy ride, from an organized
group of hackers, from a terrorist group or, as NSA estimates,
from 1 of over 100 countries that now have the capability of
launching an offensive cyber attack.
I think the potential for real damage has been highlighted
by the ``ILOVEYOU'' virus, the denial of service, the Melissa
virus. While none of these caused catastrophic damage in an
overall sense, it demonstrated the very real potential for
damage by cyber attack.
The challenges, we have identified in the statement four
challenges. First of all, establishing trust relations. You
have so many people that are at the table, just like we are at
this table, that have to work with one another. And even though
law enforcement people might work together, share information,
frequently the private sector do not want to share information
with the law enforcement. They see it as a one-way street. You
give information but you don't get anything back.
You have to establish a trust relationship between
different government entities, some who have less than friendly
relationships with each other. You have to establish
relationships between the government and the private sector.
You have to balance off national security versus economic
threat. There are a whole series of relationships that have to
be established, and it is really not realistic to assume that
everyone shares the same perspective or views the threat in the
same way or views the response in the same way.
The second challenge is related to that, but it goes to
reporting needs and mechanisms. What kind of information do you
need to be responsive? How do you best share it? What's the
protocol for sharing it and how do you do it in a timely manner
so that it is effective?
Third, and this was touched upon by several panel members,
are the need for technical capabilities. We have a real lack of
technical skills within the government, and I think elsewhere,
for dealing with this. Computer security is clearly underfunded
and underrepresented in most agencies. Most agencies or many
agencies do not have the skills that are necessary to provide a
level of protection.
We lack intrusion monitoring systems. The Department of
Defense has taken a real leadership role in moving out on this,
but this is still a very new area where we don't have the
systems in place that can effectively monitor intrusions.
And last, and I think the thing that bothers us the most
right now is what the national plan calls for in making the
Federal Government a model. And as you know from prior
statements before you, the Federal Government is far, far away
from being a model. Virtually every Federal agency has severe
computer security problems that put their operations at risk.
And if the Federal Government is going to be in a position to
speak about the need for developing national and international
infrastructures, it needs to get its own house in order and we
are far from that.
In terms of addressing the challenge, as you heard today, a
lot is being done. There are a lot of organizations that are
sharing information. These organizations certainly exist within
the United States and they certainly exist internationally. But
within our own government, that's done without an effective
framework. The national plan for information systems
protection, which the first version was issued earlier this
year, lays out the beginning of a framework dealing with
Federal Government. The next version is supposed to bring in
the international and private sector, but a framework is a long
ways away from having an effective implementation of the
policies that are needed to in fact do the balancing act that
you need between the various sectors to establish the trust
relationships, to develop the effective coordination mechanisms
that are required to address the challenge.
So the challenges to be addressed is a comprehensive
framework. This needs to be developed, it needs to be vetted,
it needs to be bought into. It needs to allow each of the
components to clearly define their individual needs. There
needs to be an opportunity to balance these needs against the
national need and, last, to develop and implement strategies to
meet those needs.
This is going to take leadership. This is going to take a
real commitment, a prolonged commitment, it will take time and
undoubtedly take a great deal of money.
That concludes my summary, Mr. Chairman.
[The prepared statement of Mr. Brock follows:]
[GRAPHIC] [TIFF OMITTED] T4152.100
[GRAPHIC] [TIFF OMITTED] T4152.101
[GRAPHIC] [TIFF OMITTED] T4152.102
[GRAPHIC] [TIFF OMITTED] T4152.103
[GRAPHIC] [TIFF OMITTED] T4152.104
[GRAPHIC] [TIFF OMITTED] T4152.105
[GRAPHIC] [TIFF OMITTED] T4152.106
[GRAPHIC] [TIFF OMITTED] T4152.107
[GRAPHIC] [TIFF OMITTED] T4152.108
[GRAPHIC] [TIFF OMITTED] T4152.109
[GRAPHIC] [TIFF OMITTED] T4152.110
[GRAPHIC] [TIFF OMITTED] T4152.111
[GRAPHIC] [TIFF OMITTED] T4152.112
[GRAPHIC] [TIFF OMITTED] T4152.113
[GRAPHIC] [TIFF OMITTED] T4152.114
[GRAPHIC] [TIFF OMITTED] T4152.115
[GRAPHIC] [TIFF OMITTED] T4152.116
[GRAPHIC] [TIFF OMITTED] T4152.117
[GRAPHIC] [TIFF OMITTED] T4152.118
[GRAPHIC] [TIFF OMITTED] T4152.119
[GRAPHIC] [TIFF OMITTED] T4152.120
[GRAPHIC] [TIFF OMITTED] T4152.121
Mr. Horn. Well, thank you very much. If Mr. Pescatore would
join us over there and, staff, see if we could turn around one
of those heavy awful tables that we suffer through here, and we
have Mr. Molander already at the table. And we are going to
move to Mr. Molander. He is the senior researcher for the RAND
Corp. that does a lot of good work domestically and foreign. So
it is nice of you to appear here.
So where is Mr. Molander? There we are. He moved to the
right place to make sure he could get recorded.
STATEMENTS OF ROGER MOLANDER, SENIOR RESEARCH, RAND; AND JOHN
PESCATORE, VICE PRESIDENT AND RESEARCH DIRECTOR, NETWORK
SECURITY, GARTNER GROUP
Mr. Molander. Thank you, Mr. Chairman. Mr. Chairman and
members of the committee, the RAND Corp. has done a large
number of studies on the problems that are being addressed here
today, including conducting many national and international
strategy policy and operational exercises, you might call them
cyber war games, in the area of critical infrastructure
protection as well as in the cyber crime arena, looking at the
impact of the Internet on things like Internet banking,
Internet gambling, and the whole impact on money laundering.
My testimony today is a distillation of that experience put
together by myself and two RAND colleagues, Robert Anderson and
Richard Mesic. In light of the comments that have already been
made, I am going to offer a few overview perspectives,
hypotheses, lessons learned from about 5 years of doing
research in this area.
First, to enable and motivate a more effective dialog
between government and the private sector, the government
needs, as was mentioned, a specific and much improved framework
for targeting the interests of individual infrastructure
sectors and companies.
You might say in a sense, Mr. Chairman, it's the private
sector that is the key here at the present time. The private
sector wants the government to provide threat intelligence, the
government wants the private sector to share sensitive
vulnerability information. To date neither can or will deliver
in a manner that the other deems adequate.
A second point, the companies that are running the critical
infrastructure systems all have quite significant risk analyses
and contingency plans for various outages and problems;
however, for this kind of threat the balance between risk and
cost chosen by individual companies may not be deemed best for
overall national security interests as judged by the government
in carrying out its responsibility. Additional resources are
undoubtedly going to be required. This cost gap-filling
challenge must be addressed by the Federal Government. The
expectation that the private sector will carry all of these
costs is terribly misleading.
Third, for those critical infrastructures which are
potentially under attack it is prudent to assume that the
threat actors, whoever they might be, wherever they might
operate, whatever their motivation, are likely to eventually
find vulnerabilities. Nature abhors a vacuum. They will be
found. We need to assume almost that any major vulnerability
will be found by some malevolent actor. To the extent that
actions to protect the infrastructure cannot for cost,
political or other technical reasons be implemented fully on a
day-to-day basis, alert and warning and response systems are
critical. Effective AWR, as we call them, architectures are
likely to involve a hierarchy of intersected alert and warning
systems where the best role for the government probably is to
try and take the lead in creating and coordinating almost a
system of alert and warning systems and then independently
provide sort of motivation for response plans being well vetted
and well organized so that people understand what will happen
when some alert and warning comes.
The fifth point, any significant attack of a kind that
might be characterized as strategic in character would almost
certainly be proceeded by various testing and probing
activities by the attacking party. This is going to be an
ongoing active process, as we have heard. Any data is likely to
become dated from an offensive or defensive standpoint, and
possibly obsolete quickly. We need to adapt to this kind of
dynamic situation.
Six, given our current knowledge base the CIP problem is
probably too complex and dynamic at this stage for any single
unified strategic concept framework or approach. That means
that we have to break the problem down in manageable pieces
nationally and internationally and attack the pieces. The kind
of unified framework that we would also like to have is
something that at best will take place over time.
It is clear, I think, that there is no simple solution
silver bullet for enhancing U.S. or global critical
infrastructure protection. It is not clear how vulnerable key
sectors are, how widespread the effects of a major attack might
be, how various responses to that attack, how effective they
might be, how well an adversary could marshal the next
knowledge and resources to mound a strategic level attack as
opposed to what you might call duck bites without extraordinary
preparation.
At this time the best approach probably both nationally and
internationally is to get down into the details for each
individual infrastructure. Every infrastructure is different in
terms of their preparation, their risk assessments and their
planning. One needs to look at the particular attack modes that
are going to be--classes of attack modes that are going to be
most troublesome for individual infrastructures, electric
power, telecommunications, etc.; the particular generic
vulnerabilities that are most worrisome for that sector that
can be projected with time even though technology changes; the
type and extent of effects of the damages the sector might
suffer, the importance to the Nation of those effects, and
finally the types and effectiveness of responses that might be
expected by the private sector and the government.
Let me reiterate as a close, it is the private sector, Mr.
Chairman, that is the real challenge at this point for
government.
Thank you.
[The prepared statement of Mr. Molander follows:]
[GRAPHIC] [TIFF OMITTED] T4152.122
[GRAPHIC] [TIFF OMITTED] T4152.123
[GRAPHIC] [TIFF OMITTED] T4152.124
[GRAPHIC] [TIFF OMITTED] T4152.125
[GRAPHIC] [TIFF OMITTED] T4152.126
Mr. Horn. Well, we thank you and your colleagues for that
fine presentation.
Mr. John Pescatore is the vice president and research
director, Network Security for the Gartner Group.
Mr. Pescatore. Good morning and thank you, Mr. Chairman and
the committee, for this opportunity. It looks like I am batting
cleanup here. You have heard from a lot of constituencies. In
my 22 years working in information security, I have actually
worked for the Intelligence Community, the law enforcement
community, private industry, in developing fire walls and
public key encryption, and now with Gartner Group, working with
thousands of our clients across the world addressing their
security problems.
Add the citizens to the stakeholders in this, and it is a
complex problem, and the key is sharing across those
communities. The Internet definitely rewards sharing, it
actively rejects attempts at hierarchal command and control and
routes around them, to paraphrase a famous Internet saying.
What within this mix can the government do to facilitate
sharing is the key issue we have touched on I think in a number
of ways here.
First, we have heard several times, and I will certainly
second it, that the government should first clean up its own
act in computer systems and make sure that government computer
systems are secure and well managed. We've seen an explosion in
use--business use of the Internet that really vastly outpaces
the growth of crime against the business use of the Internet
today. We see companies like Cisco and Intel and Intuit getting
the majority of their revenues through sales over the Internet.
They figured out how to do it securely and still run leading
businesses.
So the solutions, the technologies and the processes are
there. They need to be emulated and replicated across all
systems, and government systems are a prime example. We
estimate it takes anywhere from three to five times more
effort, more total cost of ownership to secure an Internet
exposed application than one that has traditionally been inside
a closed environment. If you use today's point solutions and
antiquated processes that we see many government agencies
trying to use, if you use architectural solutions, redefined,
reengineered processes, those costs can be halved and become
much closer to what it takes to do so behind the fire wall.
So first point, government effort to secure government
systems, that is one key inhibitor to private industry willing
to share the threat information with the Federal Government.
Will it be protected when it is stored by the Federal
Government?
Second key point, the government certainly plays a role in
defining security standards and can put its buying power behind
those standards. We see the National Institute of Standards and
Technology [NIST], with the National Information Assurance
Program putting together protection profiles for various
technologies and systems. Some very good efforts there. Not
quite working on Internet time, more bureaucratic time; need to
move up to Internet speeds, and not quite so focused on a
prioritized list of what makes the most sense to e-business and
the needs of all these various constituencies. I think that can
be improved.
The government can certainly learn some lessons from what
it did in the Y2K period. There were many things that others
put together for Y2K; for example, in the National Security
Telecommunications Advisory Council [NSTAC], is an example of a
very workable way of sharing threat information between private
industry on the critical infrastructure side and the
government. Did a lot of good work for Y2K.
Another suggestion that we have, we saw the Securities and
Exchange Commission require publicly traded companies issue Y2K
status information in their quarterly and annual reports. Let's
see that for security information. Let's see the government
help make security part of the bottom line versus an
afterthought for many of these companies. I think that would go
a long way.
I want to point out we don't see a need for more alphabet
soup of committees and task forces to address this problem or
coordinate this problem. We see plenty of those. We see many
successful examples, things like the Forum of Incident Response
Security Teams, the Carnegie-Mellon Computer Emergency Response
Team, things starting up in the Federal Government like FedCERT
to share information. We have enough mechanisms. We need to
move them forward and increase sharing.
I will sum up, with that buzzer going off, to say we see a
lot of successful use of the Internet increase the bottom line
of companies, make things more convenient for citizens.
Certainly we know cyber crime and information warfare will
follow and it will require leadership by the government to
address those. I think the government can learn from what
private industry has done successfully and adopt best practices
on government systems and sponsor leading practices and
standards that will apply across the infrastructure. Thanks for
your time.
[The prepared statement of Mr. Pescatore follows:]
[GRAPHIC] [TIFF OMITTED] T4152.127
[GRAPHIC] [TIFF OMITTED] T4152.128
Mr. Horn. Thank you very much. We will begin the
questioning with the ranking member, Mr. Turner. Each of us
will take 10 minutes. And as you can see by the ruckus on the
bells, we have another vote so we will both have to get there.
But we will get started here with 10 minutes to the gentleman
from Texas.
Mr. Turner. Thank you, Mr. Chairman. Mr. Pescatore, I
wanted to followup with you. You made a comment there that we
did not need any more task forces or study groups, and then you
also made a comment that we had the necessary entities. You
referred to the Carnegie-Mellon Institute. I guess it is a
similar operation to what we do at the Federal level. Did I
gather you said those were sufficient that we had in place?
Mr. Pescatore. Well, we have the mechanisms, things like
CERT teams and FIRST and across DOD and the civilian government
and private industry for sharing the--for coordinating
response. We need a number of things to help make information
sharing easier. Many have been addressed in the testimony.
Things like the Freedom of Information Act being addressed to
make sure that information shared will stay private, will not
be releasable. Making sure information sharing is bidirectional
between these communities as much as possible.
So there are ways that we can increase the sharing between
these mechanisms, but I don't think we need more mechanisms.
Mr. Turner. We have a number of people here from various
countries around the world. What would you see as the greater
need internationally in this area? We all talk about and
everybody has mentioned we need greater cooperation. What does
that translate into in terms of actual activity?
Mr. Pescatore. Well, I think what you see the most need for
is increased communication between the different layered
communities. For example, Interpol between law enforcement, the
various NATO and other mechanisms between DOD, and there are
existing mechanisms like FIRST that interoperate between
companies across countries. The flow between those three
communities is near zero. That needs to be increased. And the
mechanisms are there, again, but the oomph behind them is not.
Mr. Turner. I was interested, Mr. Molander, in your
comment. You said the problem is the private sector, not the
government, and yet I get the impression from listening to the
testimony that the government is increasingly going to be
required to play a greater role, that the private sector is
going to basically say there is a point beyond which we don't
really want to go. We don't want to spend the money to go
further, but that our national security needs will require us
to go further.
So you might want to expand on that thought a little more
because I was getting the impression earlier that the direction
that we needed to take was that we are going to have to
recognize that the government is going to have a greater
responsibility, not a lesser responsibility.
Mr. Molander. I think that is probably right. But in the
end, I think the real challenge right now is to bring the
private sector to the table in seeking solutions to this
problem. As yet, the kind of information that we would like to
get from the private sector in terms of, for example, the kinds
of probes that they are seeing right now, how they are
organizing themselves for responding to certain kinds of
attacks, classes of vulnerabilities that they can see from
their own experience with natural sort of events and things of
this character, these kinds of things have not yet been part of
a dialog between the government and the private sector largely
because the government has not been successful in making the
case--and it's not an easy case to make at this early stage--
that there is out there perking along, you might say, the kind
of strategic threat capability that truly would be more than
just a cause for the kinds of problems that we saw with the
``ILOVEYOU'' virus and things of this character.
The private sector is, if you will, the frontier. That is
where things are happening in terms of attacks against the
infrastructures, more so perhaps than the attacks against the
Defense Department. The private sector--all boats have to get
in and start rising here, but the private sector is really
missing in terms of aggressive participant in the larger
strategic challenge.
Mr. Turner. What's it going to take to get the private
sector to move more rapidly in terms of their willingness to
cooperate?
Mr. Molander. Other people could comment on that as well,
but I would say a persuasive case made by the government,
barring some actual events, of the kinds of vulnerability that
the private sector sees could be exploited by a malevolent
actor who you might say catches up with the information
revolution and catches up with the software and what not,
changes that are being made by the infrastructure. So you might
think of this as somebody doing a high speed merge, the
malevolent actors doing a high speed merge on the highway. But
the threat is that they will catch up and the kinds of dialog
where the government makes a persuasive case for threat really
haven't taken place yet.
Mr. Turner. I'm not sure we do understand the threat, and
maybe we need to have more opportunities for experts like we
have on this panel to tell us the worst case scenarios that
might be out there for us. We have two panelists here from the
Department of Defense, but when we talk in terms of national
defense we usually can identify the threat and talk about it.
Sometimes we talk about it in top secret meetings, but we talk
about it and that's what we try to address.
Maybe we don't have a good perception of the real threat.
Do any of you, particularly panelists from the Department of
Defense, have any suggestions on how we might better educate
ourselves on the nature of the threat? Mr. Vatis with the FBI,
I'm sure you have some thoughts on that you could share with
us.
Mr. Vatis. I think I agree with the point that one of the
things we need to do is to raise awareness about the nature of
the threat. And, in fact, a lot of that has been going on. We
have provided numerous briefings to different committees of
Congress and also to many different parts of the private
sector. As one example, I've provided a classified briefing to
the owners and operators of the electrical power infrastructure
because of their centrality to the functioning of all the other
infrastructures. And I think those briefings, as well as real
live events such as the various viruses that we have seen and
denial of service attacks, have all done a great deal to raise
the level of awareness. And I think they've contributed to the
progress that actually has occurred over the last 2 years in
terms of the private sector taking steps that it hadn't taken
before to secure its systems.
But I think all the awareness raising in the world is only
going to get you so far. And then you still run up against the
fact that companies are not going to do anything until they see
that it's necessary to protect their bottom line and their
ability to make profits. And I think companies are going to
make different decisions about the probability of something
happening. They will look at the cost of taking steps to
prevent it from happening versus the cost of something
happening, discounted by the probability and going through that
sort of cost-benefit analysis. And so I think that's really
where we need to make progress.
The other thing that I see happening is a bit of a free
rider problem. That especially affects the whole problem of
information sharing. There has been a lot of talk for 2 and
more years about the importance of information sharing. We have
set up numerous mechanisms, some of the ones that Mr. Pescatore
has mentioned as well as ones that the government has set up,
including through the NIPC, to share information from the
government to the private sector. And that's all been going on.
But what's principally been lacking, I think, is
information coming from the private sector to the government
and information being shared among private sector companies.
The free rider problem that I mentioned comes from the fact
that companies are willing to get information that might help
them become aware of vulnerabilities, but they're very wary of
sharing their own vulnerability information, not just with the
government but with their competitors in industry, because
companies see a possible competitive advantage if they're aware
of a vulnerability and others aren't. And so that's where I see
the principal hindrance to information sharing.
Mr. Horn. I will have to interject now. At 12:25, we go
into a formal recess. We will be back at 2 o'clock for the
questioning. Other Members will be here. And I believe your
host, the Federal Bureau of Investigation, already has other
things for you to do during this period. So we are now recessed
formally. If you want to ask some more questions fine, but you
can also ask them at 2 p.m.
[Recess.]
Mr. Horn. The recess is over, and I hope you had a good
lunch, and we thank the Federal Bureau of Investigation for
that hospitality. Since none of us on Capitol Hill except the
Speaker have a representational allowance, we don't have any.
But let us ask a few questions. We won't keep you that long
but there are a few things we did want to talk about.
To the Department of Defense, let me ask this. Has the lack
of an international policy on critical infrastructure
protection impeded the Defense Department's efforts to address
mutual concerns on infrastructure protection? How would you
answer that?
Mr. Schaeffer. No, sir, I believe that with respect to our
international partners we have worked on an individual basis to
ensure that where we are reliant upon the infrastructure of the
nations where we reside. That is not to say that all the
problems are fixed and everything is wonderful, but we are
working U.S.-to-host nation to address those issues.
Mr. Horn. In an unclassified setting, can you tell us what
countries do you see as having the most developed information
warfare and computer attack capabilities?
Mr. Schaeffer. I cannot address that in this forum, sir.
Actually, that question would probably be addressed better to a
member of the Intelligence Community than to this portion of
the Department of Defense.
Mr. Horn. We will have Mr. Goss ask that.
How concerned are you in the Defense Department about the
proliferation of weapons of mass destruction, viruses, hacking,
exploited denial of service, and will increased information
sharing improve the response posture of the United States?
Mr. Schaeffer. Well, sir, I believe I can state
categorically that we're very concerned. Certainly as one can
read in the paper every day, the Department is subjected to a
substantial number of probes, attempted intrusions, attacks,
however one wants to categorize that. Last year, or in 1999,
the Joint Task Force-Computer Network Defense registered over
22,000 attacks on DOD systems.
Now, it's very, very difficult to say what portion of those
came from within the United States, what portion may have been
foreign sponsored, which portion may have been foreign
generated. I mean, there's a number of those situations that we
continue to pursue.
But the volume and the anonymity with which an attacker can
operate unimpeded from around the world sort of states the
situation that we are dealing with.
Mr. Horn. In my opening statement, I referred to NATO as a
possibility to be able to share information in this area. To
what degree--well, let's put it this way. The European
Parliament, the various sovereign nation parliaments, and the
Council of Europe and all of those groups, everything, the
OECD, all overlap each other. But I wondered, since NATO has a
working relationship, and one of the reasons was to have a
defense group in relation to the Western world, so to what
extent, if any, is NATO involved in cyber attack problems?
Mr. Schaeffer. In March 1998, Dr. John Hamre made a visit
to NATO. We actually visited several individual nations and
NATO as a body, the C-3 board, within the NATO structure. And
we gave several presentations on U.S. experiences in the area
of cyber issues, problems. We laid out our experiences in our
own exercise environment, Eligible Receiver 97, which was
really the watershed event that got the Department's attention.
Mr. Vatis spoke briefly to the Solar Sunrise incident,
which I refer to as a live fire exercise, and we shared those
experiences with our NATO partners.
Subsequent to that, we have continued to expand our
relationship in terms of sharing experiences, training
material, approaches to address information assurance issues
both with NATO nations and non-NATO nations as well. We have
done that DOD to MOD, the Ministries of Defense of the various
nations. And so our relationships have been constrained pretty
much within the context of our military partners.
In some cases, some nations have sent non-MOD delegations
to DOD to get our perspectives on critical infrastructure
issues, information assurance issues, and the Department's
approach at dealing with those.
So, I think since the March 1998 timeframe, we've had
substantial interaction with our foreign allies and partners to
try to convey what we see as rather substantial problems. And
I'm pleased to see the progress that NATO has actually made in
addressing a number of these issues. Again, there's a long way
to go, but it begins with awareness and understanding and
common appreciation of the problems.
Mr. Horn. Now, what do we do for those countries that are
not in NATO and that rim on the NATO alliance? How do we deal
with that?
Mr. Schaeffer. We have, on a bilateral basis, exchanged
understanding of issues, problems, approaches, with non-NATO
nations within Europe. But we've done that again, DOD to MOD.
Sweden is an example of a non-NATO nation that we've had
information exchanges with.
Mr. Horn. Are the French now in or out of NATO?
Mr. Schaeffer. The French are in NATO. And we've had
exchanges with them as well.
Mr. Horn. OK. Mr. Genis said this morning, and I'm just
wondering what the reaction is of all of you, the suggestion of
an international coordination center. Is there an existing
organization suited for that purpose? We have a lot of League
of Nations groups in Geneva and other parts of Europe and other
parts of the world, and we have U.N. possibilities and all
that. But I'm just curious if we can go down the line and where
do we see for having an international coordination center where
you could relate to them and they would keep up on a lot of
this and share information. Mr. Reksna.
Mr. Vatis. If I may, Mr. Chairman, I think Mr. Reksna would
rather pass on this, if that is OK with you.
Mr. Horn. That's fine, but if he has some thoughts we would
welcome them. Because we need to have countries involved, no
matter what their size. They're important people to us.
Mr. Reksna. Actually, we should think always the
possibility, if it's possible, we would answer you in a return
letter.
Mr. Horn. Well, thank you. Mr. Vatis.
Mr. Vatis. I think the need for a much more efficient and
quick mechanism for sharing information internationally is
apparent. That is one of the things that the G-8's High-tech
Crime Subgroup has been discussing over the last year or two.
The problem that we bump up against is that of national
sovereignty and the fact that countries are not willing to let
foreign law enforcement agencies conduct investigative
activities within their own borders for national sovereignty
reasons.
And so what the G-8 has been trying to do is come up with a
system where countries at least agree to freeze information at
the request of another country, and then let the normal mutual
legal assistance treaty process take effect. As some of my
colleagues had mentioned this morning, that is typically a
lengthy process, because in the past in traditional crimes,
speed was not always of the essence the way it is in cyber
crimes. And so it wasn't of great concern to people that
requests would take weeks and months.
Now when evidence can be lost, that sort of delay is simply
not tolerable and so we are trying to come up with methods,
first within the G-8 and then on a broader scale once we have a
model developed, to try and share information more quickly.
But the idea of a single international body that would have
powers that might transcend national sovereignty I think would
pose difficulties not just for the United States but for most
countries.
Mr. Horn. Mr. Kronqvist, any thoughts on this?
Mr. Kronqvist. Thank you. I think such kind of center
should be very useful. But as a law enforcement person, I would
like to express that participation of law enforcement agencies
should be very manifest and I think probably should be by law
enforcement organizations so secure handling of information
would not come in the wrong hands.
Mr. Horn. Mr. Juergen Maurer.
Mr. Maurer. I'm not convinced that there is a need for a
specific institution to be established. If it comes to law
enforcement, I think it would be a much better way to use the
existing channels and make them aware of the specific needs.
Especially when it comes to Europe, we have to face how many
years you need to establish a new police institution, for
example, like Europol, and it will need another 10 years to
have a real operative institution. So I would prefer to stick
with the existing channels and use these channels.
Mr. Horn. Mr. Meneses, what is your thinking on this?
Mr. Meneses. Your Honor, I think Interpol is a good bureau
within which law enforcement could properly coordinate and
cooperate, considering that it is already existing. I believe
what is already needed is to refocus some of these people to
concentrate especially on cyber intrusions. They should be
given--these people should be directed by the leaders that
priority should be given on cases under investigation,
especially on cyber intrusions.
Mr. Horn. Thank you. Mr. Genis.
Mr. Genis. Well, ditto. And I'd like to mention that
Interpol would be an appropriate body. But it should be more
similar to the NIPC, but which would have control over European
countries and other countries than within the United States.
Mr. Horn. Mr. Adamson.
Mr. Adamson. Yes, Mr. Chairman, Interpol does have the
framework to do this, but what they are lacking is the
resources and expertise. There are about 300 police officers
from around the world assigned to the General Secretary at
Lyon, including 10 Americans. But cyber crimes is just
something that has started. Interpol has always been years
behind. I think with the new Secretary General coming this year
with a renewed interest in Interpol by the United States, and
renewed interest by all the first world countries, I think
things could change. The framework is there and you still have
the sovereignty aspect but at least the framework for
communications is there.
Mr. Horn. Mr. Schaeffer, any other thoughts on this?
Mr. Schaeffer. Mr. Chairman, I think the only thing I would
add is that while existing organizations and mechanisms--or
mechanisms do exist, I think we are a long way from a
consistent taxonomy in an international sense. What is an
attack? What constitutes an attack? What is an event? What is
an intrusion? And so I think there is work that has to be done
there before we could vest the responsibility for coordination
in any one body or any group of organizations. I think there is
much that could be done to create a consistent view of the
problem and then some sort of international convention of what
gets reported, how, and in what context.
Mr. Horn. Mr. Balakgie, is the Defense Department unified?
Mr. Balakgie. Absolutely, sir. I would say that there might
be some information that would be difficult to share but that's
my intelligence. I think you're talking about certain levels
where you know something is going on, sharing of information
needs to be done in a rapid manner. It's what happens before
you get to that point that I think is challenging for us.
Mr. Horn. Mr. Brock, any thoughts on that, looking around
the world and around the United States?
Mr. Brock. I think there is a need for more international
sharing. I think at least initially it would be difficult to
see one body doing that initially. Much as in the Y2K, people
that have already established trust and working relationships
in particular sectors, it might be feasible for them to begin
sharing information among themselves and at some point look for
opportunities for improving sharing among those different
groups.
Mr. Horn. Mr. Molander.
Mr. Molander. I was going to say that same thing. I think
Y2K was something special, and those people who paid for it by
drinking champagne in paper cups did over the period leading up
to that establish a precedent that one could build on even if
you can't very quickly even think about how to get started on
international law enforcement institutions. I think the
precedent set by ICAO and IATA and international ITU should be
built on before both personal relationships are lost and the
experiences are lost because you can do a lot of work in that
area. And as I testified earlier, I think bringing the private
sector through the individual infrastructure, treating them
independently, into this problem effectively is a very
important thing to do. And this would be a good place to start.
Mr. Horn. Mr. Pescatore.
Mr. Pescatore. I think I will echo one comment I believe
Mr. Schaeffer made, that the important piece is the consistent
taxonomy and lingua franca for defining what is an incident in
different times and we see nascent standards in that area, work
within the DOD and private industry, to come up with a common
language. That would be the first step to get that in use
across these communities and that would facilitate information
sharing, be it any of these difference mechanisms that we
talked about as a coordinating body.
Mr. Horn. Now the private sector sort of was in and out of
your testimony, depending on the situation. Is the private
sector here, Europe, Asia, wherever, in computing, are they
aware of the problems that the viruses create, are they working
on ways to block that in the computers that they sell? You
don't have to name any names, if you don't want to. But does
that occur somewhere? It seems to me this is a wonderful market
for someone if they can figure out how to attract people who
are virus experts and all the rest of it. So what's your
feeling on that? And do they realize the size of this problem
and what it could do to the free world as well as the nonfree
world?
Mr. Brock.
Mr. Brock. Every time I testify on computer security, I get
several calls the following day from vendors saying we have the
answer and they want to come over and do a demo or whatever.
And many of them I think, in fact, do have good products. But
the problem that we've seen at the agencies we've reviewed is
that using a tool, that many agencies have tools but they don't
use them effectively. And that's the secret. You can buy a tool
that is very effective and we have gone into agencies where
they have great firewalls but they haven't turned on all the
features of the firewall, or where they haven't trained the
people to use it or they haven't updated it and it is two
generations back and viruses and other attack methods have
progressed.
So I think there are opportunities. But you just can't use
a tool without knowledge of how that tool is supposed to work
and without continual training to make it work.
Mr. Horn. Is there any other feeling from those of you that
live in Europe as to whether your manufacturing industries see
this as a real opportunity, if they can block out the type of
viruses or whatever it is? Are they not interested or are they
interested in doing this? I think that's where some brain power
ought to be given to it. It's like anything in defense,
everybody--you get it done, somebody has something that's
bigger and then so forth and so on. So it seems to me this
would be a very good market for everyone there.
The other thing is do the antitrust laws in the case of the
United States, does that keep manufacturers and others from
getting in at the top of this problem? And is that type of
sharing, should that type of sharing be exempted if it in any
way is a problem for the antitrust laws? I don't know the GAO
has looked at that and we don't have anybody really from
Justice on the legal side. But I think we need to pursue that
with the Department of Justice and see if something needs to be
done to amend the law.
Mr. Brock. My colleague, Joe Williamson, testified last
month on H.R. 4246, the Cyber Security Information Act, which
was very similar to a Y2K legislation that eased some of the
concerns that companies had about sharing information so they
wouldn't violate various antitrust provisions, and we were very
positive about that act and thought that anything that would
alleviate concerns between companies about sharing information
was a positive step forward.
Mr. Horn. Well, I think you're absolutely right on that and
we need to pursue that a little more perhaps with the Judiciary
Committee.
Let me just ask on the cyber attacks that have been
investigated, is there a single point of contact in the United
States that all of you who are not in the United States use as
your contact point? Is it the FBI's center or are there other
places you can also--Carnegie-Mellon has not really come up
this morning and Carnegie-Mellon has been doing a lot of work
on how to deal with this problem.
So I don't know if any people that are--are you primarily
relating to Mr. Vatis and the center there? Or are there others
that can help you in this country? Because we'd like to know
where they are and we know about Carnegie-Mellon. Is there any?
Yes?
Mr. Maurer. Our first partner in these cases would be the
FBI. If it comes to a legal assistance request, we should have
to go through the Department of Justice, but they refer us
always then back to the FBI. So our main partner would be the
FBI.
Mr. Horn. Is that the general feeling of most of you, that
you relate to the FBI essentially? Yes?
Mr. Kronqvist. Yeah, normally we have contact with the FBI
through the Legal Attache's office. But we have also other
contacts with them, some of the other parts of the FBI, because
we have training exercises with the FBI also on projects like
that.
Mr. Horn. Well, they're a good group to deal with. Do each
of your countries have decent legislation now to combat the
cyber attacks? I know the Philippines has. I wish our Congress
could move as fast as yours did, because you seemed to move
very rapidly. Is there a model law that would fit for every
country on that? I realize there is different legal practices
under the laws.
But do you feel that there's some of the countries that
maybe surround you don't have any laws on this and maybe some
don't even care to have any laws about this, because some of
them might be doing the things that we are trying to block. So
is there a feeling that there is a weakness of laws in some of
your countries? Yes? Dr. Maurer.
Mr. Maurer. I'm not that familiar with this part of our
work, but it seems that there's a feeling that there is a lack
of the law passage. There is an effort by the European
Community to harmonize the different laws. So the European
Council or the members of the European Council or delegation
located here in Washington, DC, they might be a good place to
go and get more information on that.
Mr. Horn. Any other thoughts on that? Well, let's get to
the point of should there be a global treaty on this? And does
it even make any sense, given all the diversity and all the
complexity that's involved in this? Should that be either
pursued bilaterally and signing or having the Europeans deal
with that, the Asians on their continent, whatever it is? That
if a global treaty is needed? What is the feeling on that?
The gentleman from Latvia might want to respond on this one
because I would think that would be in your interest in terms
of Europe and that area to have some sort of a relationship.
Any thoughts on it, as we would say in this institution, the
gentleman from--in your case you're the gentleman from Latvia,
and we are glad to have you here.
Mr. Reksna. Without doubt, we'll need agreements on
cooperation. But we should say openly that actually all the
countries, there is much bureaucracy in each country and any
more agreements--any other agreement also like needs more
bureaucratic work and papers. In order to solve, to detect a
crime, the main thing is time--to shorten the time. And because
of that, I would agree to that said by our colleagues that at
the present moment, maybe one of the most effective ways to
work in this direction is personal contacts, to have more
personal contacts and to have really good working relationship
and contacts with LEGAT, with FBI liaison officers.
And for sure, there should be present such a thing as
trust. Trust as on the level of law enforcement institutions in
the country, between different countries, and the trust
between--we are to build the trust between the law enforcement
agencies and the private sector. Because if there is a trust,
there would be an effect.
Mr. Horn. Thank you very much. Mr. Vatis, what do you think
on this?
Mr. Vatis. I think one of the most pressing needs
internationally is for harmonization. Or if not quite
harmonization, at least some minimal level of substantive
criminal law in all the countries around the world to
specifically address computer crimes because one of the
problems that we have seen is if we have an incident and we
determine that the perpetrator is located in a country where
there is no applicable law, there is no chance for prosecution
oftentimes in that country and there is also no chance for them
to provide assistance to us because they don't have the legal
basis to even engage in an investigation.
But I think our approach has been that the best and most
likely way to achieve that gradual creation of laws around the
world is not by jumping right to a global treaty of some sort,
because I think that would take a considerable amount of time,
given the great differences in perspectives and priorities
among the different countries, but instead to try to encourage
the passage of new laws on a bilateral basis, and on a
multilaterally basis first to deal with smaller groups of
countries that have common interests.
So we've been doing that through the G-8 and then Europe
has been doing that through the Council of Europe. And I think
if we start with those types of smaller groups of countries
with common interests we'll eventually create some momentum and
eventually see most, if not all countries around the world have
applicable laws.
Mr. Horn. Any thoughts on this, Mr. Kronqvist?
Mr. Kronqvist. Yes, I think international agreements can be
very useful because even domestic legislation can be organized
very rapidly if there is--international work is the issue.
Mr. Horn. Dr. Maurer.
Mr. Maurer. Just would like to support the thoughts Mr.
Vatis just told us. That is exactly our position too.
Mr. Horn. Mr. Meneses.
Mr. Meneses. I agree with the observation of the honorable
chairman that there should be an international or global
treaty, considering that information technology moves so fast.
And the Web site would be on the other part of the world and
the suspect or the culprit may be on the other side of the
world and there may be a problem on how to get some of this
evidence. But if everybody--if there is a treaty, at least the
investigators or the law enforcers would have a chance to call
on such country or nation to give in some of the evidence that
we need. Of course the recommendation of Mr. Vatis could also
be a preparatory step to that global treaty.
Mr. Genis. I'd like to stress sir that an international
treaty will allow us or will give us the ability to address
foreign countries, besides the United States, where we speak in
the same legal terms. And it will simply make the process
accelerated.
Mr. Horn. Mr. Adamson.
Mr. Adamson. Yes, I mentioned that Interpol works with a
number of organizations and, as I previously mentioned, the
Council of Europe has been doing this with a draft convention
on cyber crime recently. And they are putting together, this
will probably be the first international treaty to address this
problem of cyber crime. As I understand it, the text will be
finalized by the end of this year. The Committee of Ministers
may adopt it as early as autumn 2001. Again this is piecemeal,
this is Europe. But it is the first step probably to do
something worldwide.
Mr. Horn. What is the process in terms of Interpol in
developing a document such as that?
Mr. Adamson. Well, Interpol isn't doing it. Interpol is
only supporting it. It is really the Council of Europe. It is
again one of the many organizations that we belong to. But we
are listening, we are watching what they are doing and perhaps
through our mechanism we can show the rest of the world that
this can be done.
Mr. Horn. That is good. I am sure that is a publication
that will be sought in a lot of places.
Any other thoughts on this?
Mr. Adamson. Not from me, no, Mr. Chairman.
Mr. Schaeffer. I think I find what Mr. Adamson says very
interesting. I wasn't aware that there was such work going on.
But I think, from a Department perspective, I think Mr. Vatis
articulated our position very well.
Mr. Horn. Well, which reminds me on this situation, if
that's so, are our defense attaches educated and trained that
this is a real problem? Where in our Embassy should we have
somebody that can deal with this?
Mr. Schaeffer. I think we are continuing to educate and
raise the awareness of the defense attaches around the world.
But--there are levels of understanding to the problem and many
of the issues that we deal with are down in the nuances of
exactly what happened and how and where, and that takes a depth
of understanding that is much, much greater than just
awareness. We continue to pursue that, but--again, we are a
ways away from having a completely trained and educated cadre
of folks around the world.
Mr. Horn. Thank you. Any other thoughts?
Mr. Balakgie. Just one other comment to the defense attache
question. Since they are managed out of a difference
intelligence agency, we do have some procedures that they are
provided on how to deal and address some cyber issues in terms
of their role in the Embassies. So there--just to reinforce
that there is an awareness.
On a previous question on an international treaty, I would
echo what some of the other panelists have already stated, and
that is it would go a long way in at least having the ability
to reach into some of these other countries when a problem
occurs and see some legal or law enforcement activities kick
into gear to help us address some of these issues. So I would
definitely think that would be highly recommended.
Mr. Horn. Well, that's a very good point that we cannot
wait until it happens, we need to get ahead of the game.
Mr. Brock.
Mr. Brock. I think you're raising a very interesting point.
I think there needs to be all sorts of avenues for
international cooperation. And sometimes if you have a good
relationship informal things that are flexible work very well
when you have a good understanding, but when you don't have a
good understanding that sometimes more formal arrangements
really force you to lay out the issues in ways of dealing with
them.
Another area that could lead to interesting discussions as
well, just as you have arrangements, treaty arrangements on
weapons of mass destruction for chemical and biological
warfare, there might be a point some time where you would want
to consider such treaties that would prevent using cyber
warfare as a weapon of mass destruction, which it certainly has
that capability.
Mr. Horn. It certainly has the capability of scooping up a
lot of money in one place or the other also. It is amazing what
can be done. Mr. Molander.
Mr. Molander. We have tended to call--use the term
``weapons of mass disruption'' for the context that Mr. Brock
spoke about. I think the proposed convention would go a long
way in a dimension that Mr. Schaeffer mentioned, which was get
a taxonomy that could be used by someone. There is an
extraordinary language problem. One sees it in law enforcement
and in critical infrastructure protection. It also will help to
get ready for the point where one deals with the difference
between is this crime or is this war? And I think that's an
interface that is a real challenge for I think every country
because every country handles matters differently.
We have a fourth amendment; other countries don't. And the
possibility of having an international convention that covers
acts of war through or using cyber space was introduced a
couple of years ago at the U.N. by the Russians. One of the
reasons it probably did not go anywhere is that unlike
biological weapons and chemical weapons, where there is an
international consensus on not using those weapons as weapons
of warfare, there is no such consensus on nuclear weapons. What
consensus might emerge on using cyber weapons or whatever you
want to call them against infrastructures, for example, is a
long way off, and I think until there is some common goal that
people can all endorse trying to write a treaty, and we ran an
exercise one time that said write me the first article of the
treaty, I've had treaty experience. Write me the first article
and then tell me what goal that article is going to advance you
toward. And that left everyone mute.
Mr. Horn. Well, that reminds me in my university President
days, I learned do not be the Alpha project in a computer
operation. Go way back and be the last one, the Zebra project.
And a lot of our problems in our own domestic government have
been because they did not have good management at it and they
are constantly reinventing the wheel and this is too dangerous
to be reinventing the wheel unless it is going in a decent
direction. Mr. Pescatore, any thoughts on this?
Mr. Pescatore. I would echo the importance of a global
treaty or agreement on the difference between crime and
warfare. We can certainly spin a scenario of an environmental
group in India attacking U.S. banking systems in cyber warfare
that appears to come from China, what is the response? Is it
crime? Is it warfare? What is the common definition between the
two and agreed upon responses? I think that will be a major
problem in the future.
Mr. Horn. In our closing here, if there is any questions
that any of you would like to ask others while they are here,
this is a pretty talented group, so if say the General
Accounting Office that works for Congress throughout the world,
if you have any questions, Mr. Brock, that we've missed along
the line, feel free to ask something, and the same with our
guests.
Mr. Brock. We are actually doing a review of both Mr.
Schaeffer's operation and Mr. Vatis's operation now. So we have
been exercising our opportunities to introduce them and the
results of those should be available next spring, and hopefully
we will have another opportunity to share the results of that.
Mr. Horn. We would be glad to see it.
Let me just thank the staff that have helped on this J.
Russell George, our staff director, chief counsel. Ben Ritt is
to my left, your right, he is on detail to us from the General
Accounting Office. Bonnie Heald, director of communications,
Bryan Sisk, clerk, Elizabeth Seong, staff assistant, William
Ackerly and Davidson Hulfish, interns, and for Mr. Turner's
staff, Trey Henderson, counsel, to my right and your left, and
Jean Gosa, minority clerk, and Joe Strickland, we thank you and
your colleague, Colleen Lynch, our court reporters.
I think that this has been very productive, at least for
us, and I hope it has to some degree for you. I thank each of
our witnesses today. Some of you have traveled great distances
to be here. Your testimony has been very helpful to this
subcommittee as we continue our oversight of computer security
issues in the United States.
As all of you are aware, the national and international
remediation efforts associated with Y2K were well coordinated
and highly successful, but that was after congressional
oversight when they finally got around to it and it worked out.
But this is a situation where you can't drift for the years
that we had drifted on Y2K. Y2K provided us with a snapshot of
our Nation's interdependence, and intradependence. This soaring
number of cyber attacks provides us with an entire photo album
and we need the same, in the United States at least, Y2K-type
of focus on this issue that we did on that issue.
Each of our governments must have a matrix in place to
ensure the security of its critical infrastructure. This
subcommittee is in the process of developing a system to gauge
the progress of our Federal agencies in protecting their
computer systems against these attacks. We will be examining
that progress in September.
We have asked the Comptroller General of the United States,
who heads the General Accounting Office, to be looking at all
of the computers's hardware as well as the software throughout
the Federal Government. We are way behind in a lot of
computing. We are still in the sixties in some parts, and many
of you are way ahead of us.
So each of our governments must have a matrix in place to
ensure the security of its critical infrastructures.
This subcommittee is in the process of developing a system,
as I said, to gauge the matter, just as we did on Y2K, and when
we come back from the August recess we'll be looking at this
matter again.
Beyond this domestic challenge, we all must begin
addressing the need for well-coordinated, international
structure that can provide timely and accurate information to
those who need it. On behalf of the subcommittee and the
Committee on Government Reform generally, I thank you for your
insight, your time, and your participation.
So have a wonderful trip home and we appreciate your coming
and spending your talents with us. We are now adjourned.
[Whereupon, at 3:03 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T4152.129
[GRAPHIC] [TIFF OMITTED] T4152.130
[GRAPHIC] [TIFF OMITTED] T4152.131
[GRAPHIC] [TIFF OMITTED] T4152.132
[GRAPHIC] [TIFF OMITTED] T4152.133
[GRAPHIC] [TIFF OMITTED] T4152.134
[GRAPHIC] [TIFF OMITTED] T4152.135
[GRAPHIC] [TIFF OMITTED] T4152.136
[GRAPHIC] [TIFF OMITTED] T4152.137
[GRAPHIC] [TIFF OMITTED] T4152.138
[GRAPHIC] [TIFF OMITTED] T4152.139
[GRAPHIC] [TIFF OMITTED] T4152.140
[GRAPHIC] [TIFF OMITTED] T4152.141
[GRAPHIC] [TIFF OMITTED] T4152.142
[GRAPHIC] [TIFF OMITTED] T4152.143
[GRAPHIC] [TIFF OMITTED] T4152.144
[GRAPHIC] [TIFF OMITTED] T4152.145
[GRAPHIC] [TIFF OMITTED] T4152.146
[GRAPHIC] [TIFF OMITTED] T4152.147
[GRAPHIC] [TIFF OMITTED] T4152.148
[GRAPHIC] [TIFF OMITTED] T4152.149
-